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CHAPTER 1 
INTRODUCTION TO iAPX 286 



The iAPX 286 is the most powerful processor 
in the iAPX 86 series of microprocessors, 
which includes the iAPX 86 (8086), the iAPX 
88 (8088), the iAPX 186 (80186), and now 
the iAPX 286 (80286). It is designed for 
applications that require very high perfor- 
mance. It is also an excellent choice for 
sophisticated "high end" applications that will 
benefit from its advanced architectural 
features: memory management, protection 
mechanisms, task management, and virtual 
memory support. The iAPX 286 provides, on 
a single VLSI chip, computational and archi- 
tectural characteristics normally associated 
with much larger minicomputers. 

Sections 1.1, 1.2, and 1.3 provide an overview 
of the iAPX 286 architecture. Because the 
iAPX 286 represents a revolutionary exten- 
sion of the iAPX 86 architecture, some of this 
overview material may be new and unfamil- 
iar to previous users of the iAPX 86 and 
similar microprocessors. But the iAPX 286 is 
also an evolutionary development, with the 
new architecture superimposed upon the 
industry standard iAPX 86 in such a way as 
to affect only the design and programming of 
operating systems and other such system 
software. Section 1.4 provides a guide to the 
organization of this manual, suggesting 
which chapters are relevant to the needs of 
particular readers. 

1.1 GENERAL ATTRIBUTES 

The iAPX 286 base architecture has many 
features in common with the architecture of 
other members of the iAPX 86 family, such 
as byte addressable memory, I/O interfacing 
hardware, interrupt vectoring, and support for 
both multiprocessing and processor exten- 
sions. The entire family has a common set of 
addressing modes and basic instructions. The 



iAPX 286 base architecture also includes a 
number of extensions which add to the versa- 
tility of the computer. 

The iAPX 286 processor can function in two 
modes of operation (see section 1.2, Modes of 
Operation). In one of these modes only the 
base architecture is available to program- 
mers, whereas in the other mode a number of 
very powerful advanced features have been 
added, including support for virtual memory, 
multitasking, and a sophisticated protection 
mechanism. These advanced features are 
described in section 1.3. 

The iAPX 286 base architecture was designed 
to support programming in high-level 
languages, such as Pascal or PL/M. The 
register set and instructions are well suited to 
compiler-generated code. The addressing 
modes (see section 2.6.3) allow efficient 
addressing of complex data structures, such 
as static and dynamic arrays, records, and 
arrays within records, which are commonly 
supported by high-level languages. The data 
types supported by the architecture include, 
along with bytes and words, high level 
language constructs such as strings, BCD, and 
floating point. 

The memory architecture of the iAPX 286 
was designed to support modular program- 
ming techniques. Memory is divided into 
segments, which may be of arbitrary size, that 
can be used to contain procedures and data 
structures. Segmentation has several advan- 
tages over more conventional linear memory 
architectures. It supports structured software, 
since segments can contain meaningful 
program units and data, and more compact 
code, since references within a segment can 
be shorter (and locality of reference usually 
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insures that the next few references will be 
within the same segment). Segmentation also 
lends itself to efficient implementation of 
sophisticated memory management, virtual 
memory, and memory protection. 

In addition, new instructions have been added 
to the base architecture to give hardware 
support for procedure invocations, parameter 
passing, and array bounds checking. 

1.2 MODES OF OPERATION 

The iAPX 286 can be operated in either of 
two different modes: Real Address Mode or 
Protected Virtual Address Mode (also 
referred to as Protected Mode). In either 
mode of operation, the iAPX 286 represents 
an upwardly compatible addition to the iAPX 
86 family of processors. 

In Real Address Mode, the iAPX 286 
operates essentially as a very high-perfor- 
mance iAPX 86 (8086). Programs written for 
the iAPX 86 or the iAPX 186 can be executed 
in this mode without any modification (the 
few exceptions are described in Appendix D, 
"Compatibility Considerations"). Such 
upward compatibility extends even to the 
object code level; for example, an 8086 
program stored in read-only memory will 
execute successfully in iAPX 286 Real 
Address Mode. An iAPX 286 operating in 
Real Address Mode provides a number of 
instructions not found on the iAPX 86. These 
additional instructions, also present with the 
iAPX 186, allow for efficient subroutine 
linkage, parameter validation, index calcula- 
tions, and block I/O transfers. 

The advanced architectural features and full 
capabilities of the iAPX 286 are realized in 
its native Protected Mode. Among these 
features are sophisticated mechanisms to 
support data protection, system integrity, task 
concurrency, and memory management, 



including virtual storage. Nevertheless, even 
in Protected Mode, the iAPX 286 remains 
upwardly compatible with most iAPX 86 and 
iAPX 186 application programs. Most iAPX 
86 applications programs can be re-compiled 
or re-assembled and executed on the 
iAPX 286 in Protected Mode. 

1.3 ADVANCED FEATURES 

The architectural features described in section 
1.1 are common to both operating modes of 
the processor. In addition to these common 
features, Protected Mode provides a number 
of advanced features, including a greatly 
extended physical and logical address space, 
new instructions, and support for additional 
hardware-recognized data structures. The 
Protected Mode iAPX 286 includes a sophis- 
ticated memory management and multilevel 
protection mechanism. Full hardware support 
is included for multitasking and task switch- 
ing operations. 

1.3.1 Memory Management 

The memory architecture of the Protected 
Mode iAPX 286 represents a significant 
advance over that of the iAPX 86. The physi- 
cal address space has been increased from 
1 megabyte to 16 megabytes (2 24 bytes), while 
the virtual address space (i.e., the address 
space visible to a program) has been increased 
from 1 megabyte to 1 gigabyte (2 30 bytes). 
Moreover, separate virtual address spaces are 
provided for each task in a multi- 
tasking system (see section 1.3.2, "Task 
Management"). 

The iAPX 286 supports on-chip memory 
management instead of relying on an exter- 
nal memory management unit. The one-chip 
solution is preferable because no software is 
required to manage an external memory 
management unit, performance is much 
better, and hardware designs are significantly 
simpler. 
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Mechanisms have been included in the iAPX 
286 architecture to allow the efficient imple- 
mentation of virtual memory systems. (In 
virtual memory systems, the user regards the 
combination of main and external storage as 
a single large memory. The user can write 
large programs without worrying about the 
physical memory limitations of the system. To 
accomplish this, the operating system places 
some of the user programs and data in exter- 
nal storage and brings them into main 
memory only as they are needed.) All 
instructions that can cause a segment-not- 
present fault are fully restartable. Thus, a not- 
present segment can be loaded from external 
storage, and the task can be restarted at the 
point where the fault occurred. 

The iAPX 286, like all members of the iAPX 
86 series, supports a segmented memory 
architecture. The iAPX 286 also fully 
integrates memory segmentation into a 
comprehensive protection scheme. This 
protection scheme includes hardware-enforced 
length and type checking to protect segments 
from inadvertent misuse. 

1.3.2 Task Management 

The iAPX 286 is designed to support multi- 
tasking systems. The architecture provides 
direct support for the concept of a task. For 
example, task state segments (see section 8.2) 
are hardware-recognized and hardware- 
manipulated structures that contain infor- 
mation on the current state of all tasks in the 
system. 

Very efficient context-switching (task- 
switching) can be invoked with a single 
instruction. Separate logical address spaces 
are provided for each task in the system. 
Finally, mechanisms exist to support inter- 
task communication, synchronization, 
memory sharing, and task scheduling. Task 
Management is described in Chapter 8. 



1.3.3 Protection Mechanisms 

The iAPX 286 allows the system designer to 
define a comprehensive protection policy to be 
applied, uniformly and continuously, to all 
ongoing operations of the system. Such a 
policy may be desirable to ensure system 
reliability, privacy of data, rapid error recov- 
ery, and separation of multiple users. 

The iAPX 286 protection mechanisms are 
based on the notion of a "hierarchy of trust." 
Four privilege levels are distinguished, 
ranging from Level (most trusted) to Level 
3 (least trusted). Level is usually reserved 
for the operating system kernel. The four 
levels may be visualized as concentric rings, 
with the most privileged level in the center 
(see figure 1-1). 

This four-level scheme offers system reliabil- 
ity, flexibility, and design options not possible 
with the typical two-level (supervisor/user) 
separation provided by other processors. A 
four-level division is capable of separating 
kernel, executive, system services, and 
application software, each with different 
privileges. 

At any one time, a task executes at one of the 
four levels. Moreover, all data segments and 
code segments are also assigned to privilege 
levels. A task executing at one level cannot 
access data at a more privileged level, nor can 
it call a procedure at a less privileged level 
(i.e., trust a less privileged procedure to do 
work for it). Thus, both access to data and 
transfer of control are restricted in appro- 
priate ways. 

A complete separation can exist between the 
logical address spaces local to different tasks, 
providing users with automatic protection 
against accidental or malicious interference by 
other users. The hardware also provides 
immediate detection of a number of fault and 
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LEAST TRUSTED 



MOST TRUSTED 



Figure 1-1. Four Privilege Levels 



error conditions, a feature that can be useful 
in the development and maintenance of 
software. 

Finally, these protection mechanisms require 
relatively little system overhead because they 
are integrated into the memory management 
and protection hardware of the processor 
itself. 

1.3.4 Support for Operating Systems 

Most operating systems involve some degree 
of concurrency, with multiple tasks vying for 
system resources. The task management 
mechanisms described above provide the 
iAPX 286 with inherent support for such 
multi-tasking systems. Moreover, the 
advanced memory management features of 
the iAPX 286 allow the implementation of 
sophisticated virtual memory systems. 



Operating system implementors have found 
that a multi-level approach to system services 
provides better security and more reliable 
systems. For example, a very secure kernel 
might implement critical functions such as 
task scheduling and resource allocation, while 
less fundamental functions (such as I/O) are 
built around the kernel. This layered approach 
also makes program development and 
enhancement simpler and facilitates error 
detection and debugging. The iAPX 286 
supports the layered approach through its 
four-level privilege scheme. 



1.4 ORGANIZATION OF THIS MANUAL 

To facilitate the use of this manual both as 
an introduction to the iAPX 286 architecture 
and as a reference guide, the remaining 
chapters are divided into three major parts. 
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Part I, comprising chapters 2 through 4, 
should be read by all those who wish to 
acquire a basic familiarity with the iAPX 286 
architecture. These chapters provide detailed 
information on memory segmentation, regis- 
ters, addressing modes and the general 
(application level) iAPX 286 instruction set. 
In conjunction with the iAPX 286 Assembly 
Language Reference Manual, these chapters 
provide sufficient information for an assem- 
bly language programmer to design and write 
application programs. 

The chapters in Part I are: 

Chapter 2, "Architectural Features." This 
chapter discusses those features of the iAPX 
286 architecture that are significant for 
application programmers. The information 
presented can also function as an introduc- 
tion to the machine for system programmers. 
Memory organization and segmentation, 
processor registers, addressing modes, and 
instruction formats are all discussed. 

Chapter 3, "Basic Instruction Set." This 
chapter presents the core instructions of the 
iAPX 86 family. 

Chapter 4, "Extended Instruction Set." This 
chapter presents the extended instructions 
shared by the iAPX 186 and iAPX 286 
processors. 

Part II of the manual consists of a single 
chapter: 

Chapter 5, "Real Address Mode." This 
chapter presents the system programmer's 
view of the iAPX 286 when the processor is 
operated in Real Address Mode. 

Part III of the manual comprises chapters 6 
through 11. Aimed primarily at system 
programmers, these chapters discuss the more 
advanced architectural features of the iAPX 



286, which are available when the processor 
is in Protected Mode. Details on memory 
management, protection mechanisms, and 
task switching are provided. 

The chapters in Part III are: 

Chapter 6, "Virtual Memory." This chapter 
describes the iAPX 286 address translation 
mechanisms that support virtual memory. 
Segment descriptors, global and local 
descriptor tables, and descriptor caches are 
discussed. 

Chapter 7, "Protection." This chapter 
describes the protection features of the iAPX 
286. Privilege levels, segment attributes, 
access restrictions, and call gates are 
discussed. 

Chapter 8, "Tasks and State Transitions." 
This chapter describes the iAPX 286 mecha- 
nisms that support concurrent tasks. Context- 
switching, task state segments, task gates, and 
interrupt tasks are discussed. 

Chapter 9, "Interrupts, Traps and Faults." 
This chapter describes interrupt and trap 
handling. Special attention is paid to the 
exception traps, or faults, which may occur in 
Protected Mode. Interrupt gates, trap gates, 
and the interrupt descriptor table are 
discussed. 

Chapter 10, "System Control and Initializa- 
tion." This chapter describes the actual 
instructions used to implement the memory 
management, protection, and task support 
features of the iAPX 286. System registers, 
privileged instructions, and the initial machine 
state are discussed. 

Chapter 11, "Advanced Topics." This chapter 
completes Part III with a description of 
several advanced topics, including special 
segment attributes and pointer validation. 
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CHAPTER 2 
iAPX 286 BASE ARCHITECTURE 



This chapter describes the iAPX 286 appli- 
cation programming environment as seen by 
assembly language programmers. It is 
intended to introduce the programmer to 
those features of the iAPX 286 architecture 
that directly affect the design and implemen- 
tation of iAPX 286 application programs. 



The programmer views the virtual address 
space on the iAPX 286 as a collection of up 
to sixteen thousand linear subspaces, each 
with a specified size or length. Each of these 
linear address spaces is called a segment. A 
segment is a logical unit of contiguous 
memory. Segment sizes may range from one 
byte up to 64K (65,536) bytes. 



2.1 MEMORY ORGANIZATION AND 
SEGMENTATION 

The main memory of an iAPX 286 system 
makes up its physical address space. This 
address space is organized as a sequence of 
8-bit quantities, called bytes. Each byte is 
assigned a unique address ranging from up 
to a maximum of 2 20 (1 megabyte) in Real 
Address Mode, and up to 2 24 (16 megabytes) 
in Protected Mode. 

A virtual address space is the organization of 
memory as viewed by a program. Virtual 
address space is also organized in units of 
bytes. (Other addressable units such as words, 
strings, and BCD digits are described below 
in section 2.2, "Data Types.") In Real 
Address Mode, as with the 8086 itself, 
programs view physical memory directly, 
inasmuch as they manipulate pure physical 
addresses. Thus, the virtual address space is 
identical to the physical address space (1 
megabyte). 

In Protected Mode, however, programs have 
no direct access to physical addresses. Instead, 
memory is viewed as a much larger virtual 
address space of 2 30 bytes ( 1 gigabyte). This 
1 gigabyte virtual address is mapped onto the 
Protected Mode's 16-megabyte physical 
address space by the address translation 
mechanisms described in Chapter 6. 



iAPX 286 memory segmentation supports the 
logical structure of programs and data in 
memory. Programs are not written as single 
linear sequences of instructions and data, but 
rather as modules of code and data. For 
example, program code may include a main 
routine and several separate procedures. Data 
may also be organized into various data 
structures, some private and some shared with 
other programs in the system. Run-time 
stacks constitute yet another data require- 
ment. Each of these several modules of code 
and data, moreover, may be very different in 
size or vary dynamically with program 
execution. 

Segmentation supports this logical structure 
(see figure 2-1). Each meaningful module of 
a program may be separately contained in 
individual segments. The degree of modular- 
ization, of course, depends on the require- 
ments of a particular application. Use of 
segmentation benefits almost all applications. 
Programs execute faster and require less 
space. Segmentation also simplifies the design 
of structured software. 



2.2 DATATYPES 

Bytes and words are the fundamental units in 
which the iAPX 286 manipulates data, i.e., 
the fundamental data types. 
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Figure 2-1. Segmented Virtual Memory 



A byte is 8 contiguous bits starting on an 
addressable byte boundary. The bits are 
numbered through 7, starting from the 
right. Bit 7 is the most significant bit: 



7 o 



Each byte within a word has its own particu- 
lar address, and the smaller of the two 
addresses is used as the address of the word. 
The byte at this lower address contains the 
eight least significant bits of the word, while 
the byte at the higher address contains the 
eight most significant bits. The arrangement 
of bytes within words is illustrated in 
figure 2-2. 



A word is defined as two contiguous bytes 
starting on an arbitrary byte boundary; a word 
thus contains 16 bits. The bits are numbered 
through 15, starting from the right. Bit 15 
is the most significant bit. The byte contain- 
ing bit of the word is called the low byte; 
the byte containing bit 15 is called the high 
byte. 



HIGH BYTE 
I I I I I I 



LOW BYTE 
J— I I— J L_ 



LOCATIONN+1 



LOCATION N 



Note that a word need not be aligned at an 
even-numbered byte address. This allows 
maximum flexibility in data structures (e.g., 
records containing mixed byte and word 
entries) and efficiency in memory utilization. 
Although actual transfers of data between the 
processor and memory take place at physi- 
cally aligned word boundaries, the iAPX 286 
converts requests for unaligned words into the 
appropriate sequences of requests acceptable 
to the memory interface. Such odd aligned 
word transfers, however, may impact 
performance by requiring two memory cycles 
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Figure 2-2. Bytes and Words in Memory 

to transfer the word rather than one. Data 
structures (e.g., stacks) should therefore be 
designed in such a way that word operands 
are aligned on word boundaries whenever 
possible for maximum system performance. 
Due to instruction prefetching and queueing 
within the CPU, there is no requirement for 
instructions to be aligned on word boundaries 
and no performance loss if they are not. 

Although bytes and words are the fundamen- 
tal data types of operands, the processor also 
supports additional interpretations on these 
bytes or words. Depending on the instruction 
referencing the operand, the following 
additional data types can be recognized: 

Integer: 

A signed binary numeric value contained 
in an 8-bit byte or a 16-bit word. All 
operations assume a 2's complement 
representation. (Signed 32- and 64-bit 
integers are supported using the iAPX 
286/20 Numeric Data Processor.) 



Ordinal: 

An unsigned binary numeric value 
contained in an 8-bit byte or 16-bit word. 

Pointer: 

A 32-bit address quantity composed of a 
segment selector component and an offset 
component. Each component is a 16-bit 
word. 

String: 

A contiguous sequence of bytes or words. 
A string may contain from 1 byte to 64K 
bytes. 

ASCII: 

A byte representation of alphanumeric and 
control characters using the ASCII 
standard of character representation. 

BCD: 

A byte (unpacked) representation of the 
decimal digits (0-9). 

Packed BCD: 

A byte (packed) representation of two 
decimal digits (0-9). One digit is stored in 
each nibble of the byte. 

Floating Point: 

A signed 32-, 64-, or 80-bit real number 
representation. (Floating operands are 
supported using the iAPX 286/20 Numeric 
Processor Configuration.) 

Figure 2-3 graphically represents the data 
types supported. by the iAPX 286. iAPX 286 
arithmetic operations may be performed on 
five types of numbers: unsigned binary, signed 
binary (integers), unsigned packed decimal, 
unsigned unpacked decimal, and floating 
point. Binary numbers may be 8 or 16 bits 
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long. Decimal numbers are stored in bytes; 
two digits per byte for packed decimal, one 
digit per byte for unpacked decimal. The 
processor always assumes that the operands 
specified in arithmetic instructions contain 
data that represent valid numbers for the type 
of instruction being performed. Invalid data 
may produce unpredictable results. 

Unsigned binary numbers may be either 8 or 
16 bits long; all bits are considered in deter- 
mining a number's magnitude. The value 
range of an 8-bit unsigned binary number is 
0-255; 16 bits can represent values from 
through 65,535. Addition, subtraction, multi- 
plication and division operations are available 
for unsigned binary numbers. 

Signed binary numbers (integers) may be 
either 8 or 16 bits long. The high-order 
(leftmost) bit is interpreted as the number's 
sign: = positive and 1= negative. Negative 
numbers are represented in standard two's 
complement notation. Since the high-order bit 
is used for a sign, the range of an 8-bit integer 
is —128 through +127; 16-bit integers may 
range from —32,768 through +32,767. The 
value zero has a positive sign. 

Separate multiplication and division opera- 
tions are provided for both signed and 
unsigned binary numbers. The same addition 
and subtraction instructions are used with 
signed or unsigned binary values. Conditional 
jump instructions, as well as an "interrupt on 
overflow" instruction, can be used following 
an unsigned operation on an integer to detect 
overflow into the sign bit. 

Unpacked decimal numbers are stored as 
unsigned byte quantities. One digit is stored 
in each byte. The magnitude of the number 
is determined from the low-order half-byte; 
hexadecimal values 0-9 are valid and are 
interpreted as decimal numbers. The high- 



order half-byte must be zero for multiplica- 
tion and division; it may contain any value for 
addition and subtraction. 

Arithmetic on unpacked decimal numbers is 
performed in two steps. The unsigned binary 
addition, subtraction and multiplication 
operations are used to produce an intermedi- 
ate result. An adjustment instruction then 
changes the value to a final correct unpacked 
decimal number. Division is performed 
similarly, except that the adjustment is carried 
out on the two digit numerator operand in 
register AX first, followed by an unsigned 
binary division instruction that produces a 
correct result. 

Unpacked decimal numbers are similar to the 
ASCII character representations of the digits 
0-9. Note, however, that the high-order half- 
byte of an ASCII numeral is always 3. 
Unpacked decimal arithmetic may be 
performed on ASCII numeric characters 
under the following conditions: 

• the high-order half-byte of an ASCII 
numeral must be set to OH prior to 
multiplication or division. 

• unpacked decimal arithmetic leaves the 
high-order half-byte set to OH; it must be 
set to 3 to produce a valid ASCII 
numeral. 

Packed decimal numbers are stored as 
unsigned byte quantities. The byte is treated 
as having one decimal digit in each half-byte 
(nibble); the digit in the high-order half-byte 
is the most significant. Values 0-9 are valid 
in each half-byte, and the range of a packed 
decimal number is 0-99. Additions and 
subtractions are performed in two steps. First, 
an addition or subtraction instruction is used 
to produce an intermediate result. Then, an 
adjustment operation is performed which 
changes the intermediate value to a final 
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2.3 REGISTERS 

The iAPX 286 contains a total of fourteen 
registers that are of interest to the applica- 
tion programmer. (Five additional registers 
used by system programmers are covered in 
section 10.1.) As shown in figure 2-4, these 
registers may be grouped into four basic 
categories: 

• General registers. These eight 16-bit 
general-purpose registers are used 
primarily to contain operands for arith- 
metic and logical operations. 

• Segment registers. These four special- 
purpose registers determine, at any given 
time, which segments of memory are 
currently addressable. 

• Status and Control registers. These three 
special-purpose registers are used to 
record and alter certain aspects of the 
iAPX 286 processor state. 

2.3.1 General Registers 

The general registers of the iAPX 286 are the 
16-bit registers AX, BX, CX, DX, SP, BP, 
SI, and DI. These registers are used inter- 
changeably to contain the operands of logical 
and arithmetic operations. 

Some instructions and addressing modes (see 
section 2.4), however, dedicate certain general 
registers to specific uses. BX and BP are often 
used to contain the base address of data 
structures in memory (for example, the start- 
ing address of an array); for this reason, they 
are often referred to as the base registers. 
Similarly, SI and DI are often used to contain 
an index value that will be incremented to step 
through a data structure; these two registers 
are called the index registers. Finally, SP and 
BP are used for stack manipulation. Both SP 
and BP normally contain offsets into the 
current stack. SP generally contains the offset 
of the top of the stack and BP contains the 



correct packed decimal result. Multiplication 
and division adjustments are only available for 
unpacked decimal numbers. 

Pointers and addresses are described below in 
section 2.3.3, "Index, Pointer, and Base 
Registers," and in section 3.8, "Address 
Manipulation Instructions." 

Strings are contiguous bytes or words from 1 
to 64K bytes in length. They generally contain 
ASCII or other character data representa- 
tions. The iAPX 286 provides string manip- 
ulation instructions to move, examine, or 
modify a string (see section 3.7, "Character 
Translation and String Instructions"). 

If the 80287 numerics processor extension 
(NPX) is present in the system (the iAPX 
286/20 configuration), the iAPX 286 archi- 
tecture also supports floating point numbers, 
32- and 64-bit integers, and 18-digit BCD 
data types. 

The iAPX 286/20 Numeric Data Processor 
supports and stores real numbers in a three- 
field binary format as required by IEEE 
standard 754 for floating point numerics (see 
figure 2-3). The number's significant digits 
are held in the significand field, the exponent 
field locates the binary point within the 
significant digits (and therefore determines 
the number's magnitude), and the sign field 
indicates whether the number is positive or 
negative. (The exponent and significand are 
analogous to the terms "characteristic" and 
"mantissa," typically used to describe float- 
ing point numbers on some computers.) This 
format is used by the iAPX 286/20 with 
various length significands and exponents to 
support single precision, double precision and 
extended (80-bit) precision floating point data 
types. Negative numbers differ from positive 
numbers only in their sign bits. 
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offset or base address of the current stack 
frame. The use of these general-purpose 
registers for operand addressing is discussed 
in section 2.3.3, "Index, Pointer, and Base 
Registers." Register usage for individual 
instructions is discussed in chapters 3 and 4. 

As shown in figure 2-4, eight byte registers 
overlap four of the 16-bit general registers. 
These registers are named AH, BH, CH, and 
DH (high bytes); and AL, BL, CL, and DL 
(low bytes); they overlap AX, BX, CX, and 
DX. These registers can be used either in their 
entirety or as individual 8-bit registers. This 
dual interpretation simplifies the handling of 
both 8- and 16-bit data elements. 

2.3.2 Memory Segmentation and Segment 
Registers 

Complete programs generally consist of many 
different code modules (or segments), and 
different types of data segments. However, at 
any given time during program execution, 
only a small subset of a program's segments 



are actually in use. Generally, this subset will 
include code, data, and possibly a stack. The 
iAPX 286 architecture takes advantage of this 
by providing mechanisms to support direct 
access to the working set of a program's 
execution environment and access to 
additional segments on demand. 

At any given instant, four segments of 
memory are immediately accessible to an 
executing iAPX 286 program. The segment 
registers DS, ES, SS, and CS are used to 
identify these four current segments. Each of 
these registers specifies a particular kind of 
segment, as characterized by the associated 
mnemonics ("code," "stack," "data," or 
"extra") shown in figure 2-4. 

An executing program is provided with 
concurrent access to the four individual 
segments of memory — a code segment, a stack 
segment, and two data segments — by means 
of the four segment registers. Each may be 
said to select a segment, since it uniquely 
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determines the one particular segment from 
among the numerous segments in memory, 
which is to be immediately accessible at 
highest speed. Thus, the 16-bit contents of a 
segment register is called a segment selector. 

Once a segment is selected, a base address is 
associated with it. To address an element 
within a segment, a 16-bit offset from the 
segment's base address must be supplied. The 
16-bit segment selector and the 16-bit offset 
taken together form the high and low order 
halves, respectively, of a 32-bit virtual address 
pointer. Once a segment is selected, only the 
lower 16-bits of the pointer, called the offset, 
generally need to be specified by an instruc- 
tion. Simple rules define which segment 
register is used to form an address when only 
a 1 6-bit offset is specified. 

An executing program requires, first of all, 
that its instructions reside somewhere in 
memory. The segment of memory containing 
the currently executing sequence of instruc- 
tions is known as the current code segment; it 
is specified by means of the CS register. All 
instructions are fetched from this code 
segment, using as an offset the contents of the 
instruction pointer (IP). The CS:IP register 
combination therefore forms the full 32-bit 
pointer for the next sequential program 
instruction. The CS register is manipulated 
indirectly. Transitions from one code segment 
to another (e.g., a procedure call) are effected 
implicitly as the result of control-transfer 
instructions, interrupts, and trap operations. 

Stacks play a fundamental role in the iAPX 
286 architecture; subroutine calls, for 
example, involve a number of implicit stack 
operations. Thus, an executing program will 
generally require a region of memory for its 
stack. The segment containing this region is 
known as the current stack segment, and it is 
specified by means of the SS register. All 



stack operations are performed within this 
segment, usually in terms of address offsets 
contained in the stack pointer (SP) and stack 
frame base (BP) registers. Unlike CS, the SS 
register can be loaded explicitly for dynamic 
stack definition. 

Beyond their code and stack requirements, 
most programs must also fetch and store data 
in memory. The DS and ES registers allow 
the specification of two data segments, each 
addressable by the currently executing 
program. Accessibility to two separate data 
areas supports differentiation and access 
requirements like local procedure data and 
global process data. An operand within a data 
segment is addressed by specifying its offset 
either directly in an instruction or indirectly 
via index and/or base registers (described in 
the next subsection). 

Depending on the data structure (e.g., the way 
data is parceled into one or more segments), 
a program may require access to multiple data 
segments. To access additional segments, the 
DS and ES registers can be loaded under 
program control during the course of a 
program's execution. This simply requires 
loading the appropriate data pointer prior to 
accessing the data. 

The interpretation of segment selector values 
depends on the operating mode of the proces- 
sor. In Real Address Mode, a segment selec- 
tor is a physical address (figure 2-5). In 
Protected Mode, a segment selector selects a 
segment of the user's virtual address space 
(figure 2-6). An intervening level of logical- 
to-physical address translation converts the 
logical address to a physical memory address. 
Chapter 6, "Memory Management," provides 
a detailed discussion of Protected Mode 
addressing. In general, considerations of 
selector formats and the details of memory 
mapping need not concern the application 
programmer. 
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2.3.3 Index, Pointer, and Base Registers 

Five of the general-purpose registers are 
available for offset address calculations. These 
five registers, shown in figure 2-4, are SP, BP, 
BX, SI, and DI. SP is called a pointer regis- 
ter, BP and BX are called base registers; SI 
and DI are called index registers. 

As described in the previous section, segment 
registers define the set of four segments 
currently addressable by a program. A 
pointer, base, or index register may contain 
an offset value relative to the start of one of 
these segments; it thereby points to a partic- 
ular operand's location within that segment. 
To allow for efficient computations of effec- 
tive address offsets, all base and index regis- 
ters may participate interchangeably as 
operands in most arithmetical operations. 

Stack operations are facilitated by the stack 
pointer (SP) and stack frame base (BP) 
registers. By specifying offsets into the current 
stack segment, each of these registers provides 
access to data on the stack. The SP register 
is the customary top-of-stack pointer, 
addressing the uppermost datum on a push- 



down stack. It is referenced implicitly by 
PUSH and POP operations, subroutine calls, 
and interrupt operations. The BP register 
provides yet another offset into the stack 
segment. The existence of this stack relative 
base register, in conjunction with certain 
addressing modes described in section 2.6.3, 
is particularly useful for accessing data struc- 
tures, variables and dynamically allocated 
work space within the stack. 

Stacks in the iAPX 286 are implemented in 
memory and are located by the stack segment 
register (SS) and the stack pointer register 
(SP). A system may have an unlimited 
number of stacks, and a stack may be up to 
64K bytes long, the maximum length of a 
segment. 

One stack is directly addressable at a time; 
this is the current stack, often referred to 
simply as "the" stack. SP contains the current 
top of the stack (TOS). In other words, SP 
contains the offset to the top of the push down 
stack from the stack segment's base address. 
Note, however, that the stack's base address 
(contained in SS) is not the "bottom" of the 
stack (figure 2-7). 
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Figure 2-7. iAPX 286 Stack 
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iAPX 286 stack entries are 16 bits wide. 
Instructions operate on the stack by adding 
and removing stack items one word at a time. 
An item is pushed onto the stack (see figure 
2-8) by decrementing SP by 2 and writing the 
item at the new TOS. An item is popped off 
the stack by copying it from TOS and then 
incrementing SP by 2. In other words, the 
stack grows down in memory toward its base 
address. Stack operations never move items 
on the stack; nor do they erase them. The top 
of the stack changes only as a result of updat- 
ing the stack pointer. 

The stack frame base pointer (BP) is often 
used to access elements on the stack relative 
to a fixed point on the stack rather than 
relative to the current TOS. It typically 
identifies the base address of the current stack 
frame established for the current procedure 
(figure 2-9). If an index register is used 
relative to BP (e.g., base + index addressing 
mode using BP as the base), the offset will be 
calculated automatically in the current stack 
segment. 

Accessing data structures in data segments is 
facilitated by the BX register, which has the 
same function in addressing operands within 
data segments that BP does for stack 
segments. They are called base registers 
because they may contain an offset to the base 
of a data structure. The similar usage of these 
two registers is especially important when 
discussing addressing modes (see section 2.4, 
"Addressing Modes"). 

Operations on data are also facilitated by the 
SI and DI registers. By specifying an offset 
relative to the start of the currently address- 
able data segment, an index register can be 
used to address an operand in the segment. If 
an index register is used in conjunction with 
the BX base register (i.e., base + index 
addressing) to form an offset address, the data 



is also assumed to reside in the current data 
segment. As a rule, data referenced through 
an index register or BX is presumed to reside 
in the current data segment. That is, if an 
instruction invokes addressing for one of its 
operands using either BX, DI, SI, or BX with 
SI or DI, the contents of the register(s) (BX, 
DI, or SI) implicitly specify an offset in the 
current data segment. As previously men- 
tioned, data referenced via SP, BP or BP with 
SI or DI implicitly specify an operand in the 
current stack segment (refer to table 2-1). 

There are two exceptions to the rules listed 
above. The first concerns the operation of 
certain iAPX 286 string instructions. For the 
most flexibility, these instructions assume that 
the DI register addresses destination strings 
not in the data segment, but rather in the 
extra segment (ES register). This allows 
movement of strings between different 
segments. This has led to the descriptive 
names "source index" and "destination 
index." In all cases other than string instruc- 
tions, however, the SI and DI registers may 
be used interchangeably to reference either 
source or destination operands. 



Table 2-1. Implied Segment Usage by Index, 
Pointer and Base Registers 



Register 


Implied Segment 


SP 


SS 


BP 


ss 


BX 


DS 


SI 


DS 


DI 


DS, ES for String Operations 


BP + SI, DI 


SS 


BX + SI, DI 


DS 



NOTE: 

All implied Segment usage, except SP to SS and DI 
to ES for String Operations, may be explicitly speci- 
fied with a segment override prefix for any of the four 
segments. The prefix precedes the instruction for 
which explicit reference is desired. 
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STACK OPERATION FOR CODE SEQUENCE: 
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Figure 2-8. Stack Operation 
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BP IS A CONSTANT POINTER TO STACK BASED VARIABLES AND WORK SPACE. ALL REFERENCES 
USE BP AND ARE INDEPENDENT OF SP. WHICH MAY VARY DURING A ROUTINE EXECUTION. 



PROCN 
PUSH AX 

PUSH ARRAY.SIZE 
CALLPROC_N~1 
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"PROCEDURE BODY" 
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Figure 2-9. BP Usage as a Stack Frame Base Pointer 
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A second more general override capability 
allows the programmer complete control of 
which segment is used for a specific opera- 
tion. Segment-override prefixes, discussed in 
section 2.4.3, allow the index and base regis- 
ters to address data in any of the four 
currently addressable segments. 

2.3.4 Status and Control Registers 

Two status and control registers are of 
immediate concern to applications program- 
mers: the instruction pointer and the FLAGS 
registers. 

The instruction pointer register (IP) contains 
the offset address, relative to the start of the 
current code segment, of the next sequential 
instruction to be executed. Together, the 
CS:IP registers thus define a 32-bit program- 
counter. The instruction pointer is not directly 
visible to the programmer; it is controlled 
implicitly, by interrupts, traps, and control- 
transfer operations. 



The FLAGS register encompasses eleven flag 
fields, mostly one-bit wide, as shown in figure 
2-10. Six of the flags are status flags that 
record processor status information. The 
status flags are affected by the execution of 
arithmetic and logical instructions. The carry 
flag is also modifiable with instructions that 
will clear, set or complement this flag bit. See 
Chapters 3 and 4. 

The carry flag (CF) generally indicates a 
carry or borrow out of the most significant 
bit of an 8- or 16-bit operand after perform- 
ing an arithmetic operation; this flag is also 
useful for bit manipulation operations involv- 
ing the shift and rotate instructions. The effect 
on the remaining status flags, when defined 
for a particular instruction, is generally as 
follows: the zero flag (ZF) indicates a zero 
result when set; the sign flag (SF) indicates 
whether the result was negative (SF=1) or 
positive (SF=0); when set, the overflow flag 
(OF) indicates whether an operation results 



STATUS FLAGS: 

CARRY 

PARITY 



AUXILIARY CARRY ■ 

ZERO 

SIGN 

OVERFLOW 



CONTROL FLAGS: 
TRAP FLAG 
INTERRUPT ENABLE 
DIRECTION FLAG 

SPECIAL FIELDS: 
I/O PRIVILEGE LEVEL 
NESTED TASK FLAG 



Figure 2-10. Flags Register 
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in a carry into the high order bit of the result 
but not a carry out of the high-order bit, or 
vice versa; the parity flag (PF) indicates 
whether the modulo 2 sum of the low-order 
eight bits of the operation is even (PF=0) or 
odd (PF=1) parity. The auxiliary carry flag 
( AF) represents a carry out of or borrow into 
the least significant 4-bit digit when perform- 
ing binary coded decimal (BCD) arithmetic. 

The FLAGS register also contains three 
control flags that are used, under program 
control, to direct certain processor opera- 
tions. The interrupt-enable flag (IF), if set, 
enables external interrupts; otherwise, inter- 
rupts are disabled. The trap flag (TF), if set, 
puts the processor into a single-step mode for 
debugging purposes where the target program 
is automatically interrupted to a user supplied 
debug routine after the execution of each 
target program instruction. The direction flag 
(DF) controls the forward or backward direc- 
tion of string operations: = forward or auto 
increment the address register(s) (SI, DI or 
SI and DI), 1 = backward or auto-decre- 
ment the address register(s) (SI, DI or SI and 
DI). 

In general, the interrupt enable flag may be 
set or reset with special instructions (STI = set, 
CLI = clear) or by placing the flags on the 
stack, modifying the stack, and returning the 
flag image from the stack to the flag register. 
If operating in Protected Mode, the ability to 
alter the IF bit is subject to protection checks 
to prevent non-privileged programs from 
effecting the interrupt state of the CPU. This 
applies to both instruction and stack options 
for modifying the IF bit. 

The TF flag may only be modified by copying 
the flag register to the stack, setting the TF 
bit in the stack image, and returning the 
modified stack image to the flag register. The 
trap interrupt occurs on completion of the 



next instruction. Entry to the single step 
routine saves the flag register on the stack 
with the TF bit set, and resets the TF bit in 
the register. After completion of the single 
step routine, the TF bit is automatically set 
on return to the program being single stepped 
to interrupt the program again after comple- 
tion of the next instruction. Use of TF is not 
inhibited by the protection mechanism in 
Protected Mode. 

The DF flag, like the IF flag, is controlled by 
instructions (CLD = clear, STD = set) or 
flag register modification through the stack. 
Typically, routines that use string instruc- 
tions will save the flags on the stack, modify 
DF as necessary via the instructions provided, 
and restore DF to its original state by restor- 
ing the Flag register from the stack before 
returning. Access or control of the DF flag is 
not inhibited by the protection mechanism in 
Protected Mode. 

The Special Fields bits are only relevant in 
Protected Mode. Real Address Mode 
programs should treat these bits as don't- 
care's, making no assumption about their 
status. Attempts to modify the IOPL and NT 
fields are subject to protection checking in 
Protected Mode. In general, the application's 
programmer will not be able to and should 
not attempt to modify these bits. (See section 
9.4, "Privileged and Trusted Instructions" for 
more details.) 



2.4 ADDRESSING MODES 

The information encoded in an iAPX 286 
instruction includes a specification of the 
operation to be performed, the type of the 
operands to be manipulated, and the location 
of these operands. If an operand is located in 
memory, the instruction must also select, 
explicitly or implicitly, which of the currently 
addressable segments contains the operand. 
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This section covers the operand addressing 
mechanisms; iAPX 286 operators are 
discussed in Chapter 3. 

The five elements of a general instruction are 
briefly described below. The exact format of 
iAPX 286 instructions is specified in 
Appendix B. 

• The opcode is present in all instructions; 
in fact, it is the only required element. Its 
principal function is the specification of 
the operation performed by the 
instruction. 

• A register specifier. 

• The addressing mode specifier, when 
present, is used to specify the addressing 
mode of an operand for referencing data 
or performing indirect calls or jumps. 

• The displacement, when present, is used 
to compute the effective address of an 
operand in memory. 

• The immediate operand, when present, 
directly specifies one operand of the 
instruction. 

Of the four elements, only one, the opcode, is 
always present. The other elements may or 
may not be present, depending on the partic- 
ular operation involved and on the location 
and type of the operands. 

2.4.1 Operands 

Generally speaking, an instruction is an 
operation performed on zero, one, or two 
operands, which are the data manipulated by 
the instruction. An operand can be located 
either in a register (AX, BX, CX, DX, SI, 
DI, SP, or BP in the case of 16-bit operands; 
AH, AL, BH, BL, CH, CL, DH, or DL in 
the case of 8-bit operands; the FLAG register 
for flag operations in the instruction itself (as 
an immediate operand)), or in memory or an 



I/O port. Immediate operands and operands 
in registers can be accessed more rapidly than 
operands in memory since memory operands 
must be fetched from memory while immedi- 
ate and register operands are available in the 
processor. 

An iAPX 286 instruction can reference zero, 
one, or two operands. The three forms are as 
follows: 



• Zero-operand instructions, such as RET, 
NOP, and HLT. Consult Appendix B. 

• One-operand instructions, such as INC or 
DEC. The location of the single operand 
can be specified implicitly, as in AAM 
(where the register AX contains the 
operand), or explicitly, as in INC (where 
the operand can be in any register or 
memory location). Explicitly specified 
operands are accessed via one of the 
addressing modes described in section 
2.4.2. 

• Two operand instructions such as MOV, 
ADD, XOR, etc., generally overwrite one 
of the two participating operands with the 
result. A distinction can thus be made 
between the source operand (the one left 
unaffected by the operation) and the 
destination operand (the one overwritten 
by the result). Like one-operand instruc- 
tions, two-operand instructions can 
specify the location of operands either 
explicitly or implicitly. If an instruction 
contains two explicitly specified operands, 
only one of them — either the source or the 
destination — can be in a register or 
memory location. The other operand must 
be in a register or be an immediate source 
operand. Special cases of two-operand 
instructions are the string instructions and 
stack manipulation. Both operands of 
some string instructions are in memory 
and are explicitly specified. Push and pop 
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stack operations allow transfer between 
memory operands and the memory based 
stack. 

Thus, the two-operand instructions of the 
iAPX 286 permit operations of the following 
sort: 

• Register-to-register 

• Register-to-memory 

• Memory-to-register 

• Immediate-to-register 

• Immediate-to-memory 
© Memory-to-memory 

Instructions can specify the location of their 
operands by means of eight addressing modes, 
which are described in sections 2.4.2 
and 2.4.3. 

2.4.2 Register and Immediate Modes 

Two addressing modes are used to reference 
operands contained in registers and 
instructions: 

• Register Operand Mode. The operand is 
located in one of the 16-bit registers (AX, 
BX, CX, DX, SI, DI, SP, or BP) or in 
one of the 8-bit general registers (AH, 
BH, CH, DH, AL, BL, CL, or DL). 

Special instructions are also included for 
referencing the CS, DS, ES, SS, and Flag 
registers as operands also. 

o Immediate Operand Mode. The operand 
is part of the instruction itself (the 
immediate operand element). 

2.4.3 Memory Addressing Modes 

Six modes are used to access operands in 
memory. Memory operands are accessed by 
means of a pointer consisting of a segment 



selector (see section 2.3.2) and an offset, 
which specifies the operand's displacement in 
bytes from the beginning of the segment in 
which it resides. Both the segment selector 
component and the offset component are 
16-bit values. (See section 2.1 for a discus- 
sion of segmentation.) Only some instruc- 
tions use a full 32-bit address. 

Most memory references do not require the 
instruction to specify a full 32-bit pointer 
address. Operands that are located within one 
of the currently addressable segments, as 
determined by the four segment registers (see 
section 2.3.2, "Segment Registers"), can be 
referenced very efficiently simply by means 
of the 16-bit offset. This form of address is 
called by short address. The choice of segment 
(CS, DS, ES, or SS) is either implicit within 
the instruction itself or explicitly specified by 
means of a segment override prefix (see 
below). 

See figure 2-11 for a diagram of the address- 
ing process. 

2.4.3.1 SEGMENT SELECTION 

All instructions that address operands in 
memory must specify the segment and the 
offset. For speed and compact instruction 
encoding, segment selectors are usually stored 
in the high speed segment registers. An 
instruction need specify only the desired 
segment register and an offset in order to 
address a memory operand. 

Most instructions need not explicitly specify 
which segment register is used. The correct 
segment register is automatically chosen 
according to the rules of table 2-1 and table 
2-2. These rules follow the way programs are 
written (see figure 2-12) as independent 
modules that require areas for code and data, 
a stack, and access to external data areas. 
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SEGMENT 


OFFSET 



OPERAND 
SELECTED 



SELECTED 
SEGMENT 



Figure 2-11. Two-Component Address 
Table 2-2. Segment Register Selection Rules 



Memory 
Reference Needed 


Segment Register 
Used 


Implicit Segment 
Selection Rule 


Instructions 


Code (CS) 


Automatic with instruction prefetch. 


Stack 


Stack (SS) 


All stack pushes and pops. Any memory refer- 
ence which uses BP as a base register. 


Local Data 


Data (DS) 


All data references except when relative to stack 
or string destination. 


External (Global) Data 


Extra (ES) 


Alternate data segment and destination of string 
operation. 



There is a close connection between the type 
of memory reference and the segment in 
which that operand resides (see the next 
section for a discussion of how memory 
addressing mode calculations are performed). 
As a rule, a memory reference implies the 
current data segment (i.e., the implicit 
segment selector is in DS) unless the BP 
register is involved in the address specifica- 



tion, in which case the current stack segment 
is implied (i.e, SS contains the selector). 

The iAPX 286 instruction set defines special 
instruction prefix elements (see Appendix B). 
One of these is SEG, the segment-override 
prefix. Segment-override prefixes allow an 
explicit segment selection. Only in two special 
cases — namely, the use of DI to reference 
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Figure 2-12. Use of Memory Segmentation 

destination strings in the ES segment, and the 
use of SP to reference stack locations in the 
SS segment — is there an implied segment 
selection which cannot be overridden. The 
format of segment override prefixes is shown 
in Appendix B. 



2.4.3.2 OFFSET COMPUTATION 

The offset within the desired segment is 
calculated in accordance with the desired 
addressing mode. The offset is calculated by 
taking the sum of up to three components: 

• the displacement element in the instruc- 
tion 

• the base (contents of BX or BP — a base 
register) 

• the index (contents of SI or DI — an index 
register) 

Each of the three components of an offset may 
be either a positive or negative value. Offsets 
are calculated modulo 2 16 . 

The six memory addressing modes are gener- 
ated using various combinations of these three 
components. The six modes are used for 
accessing different types of data stored in 
memory: 



addressing mode 

direct address 
register indirect 
based 
indexed 
based indexed 
based indexed with 
displacement 



offset calculation 

displacement alone 
base or index alone 
base + displacement 
index + displacement 
base + index 
base + index + disp 



In all six modes, the operand is located at the 
specified offset within the selected segment. 
All displacements, except direct address mode, 
are optionally 8- or 16-bit values. 8-bit 
displacements are automatically sign- 
extended to 16 bits. The six addressing modes 
are described and demonstrated in the 
following section on memory addressing 
modes. 
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2.4.3.3 MEMORY MODE 

Two modes are used for simple scalar 
operands located in memory: 

• Direct Address Mode. The offset of the 
operand is contained in the instruction as 
the displacement element. The offset is a 
16-bit quantity. 

• Register Indirect Mode. The offset of the 
operand is in one of the registers SI, DI, 
or BX. (BP is excluded; if BP is used as 
a stack frame base, it requires an index 
or displacement component to reference 
either parameters passed on the stack or 
temporary variables allocated on the 
stack. The instruction level bit encoding 
for the BP only address mode is used to 
specify Direct Address mode. See 
Chapter 12 for more details.) 

The following four modes are used for 
accessing complex data structures in 
memory (see figure 2-13): 

• Based Mode. The operand is located 
within the selected segment at an offset 
computed as the sum of the displacement 
and the contents of a base register (BX 
or BP). Based mode is often used to 
access the same field in different copies 
of a structure (often called a record). The 
base register points to the base of the 
structure (hence the term "base" regis- 
ter), and the displacement selects a 
particular field. Corresponding fields 
within a collection of structures can be 
accessed simply by changing the base 
register. (See figure 2-13, example 1.) 

• Indexed Mode. The operand is located 
within the selected segment at an offset 
computed as the sum of the displacement 
and the contents of an index register (SI 
or DI). Indexed mode is often used to 
access elements in a static array (e.g., an 



array whose starting location is fixed at 
translation time). The displacement 
locates the beginning of the array, and the 
value of the index register selects one 
element. Since all array elements are the 
same length, simple arithmetic on the 
index register will select any element. 
(See figure 2-13, example 2.) 

• Based Indexed Mode. The operand is 
located within the selected segment at an 
offset computed as the sum of the base 
register's contents and an index register's 
contents. Based Indexed mode is often 
used to access elements of a dynamic 
array (i.e., an array whose base address 
can change during execution). The base 
register points to the base of the array, 
and the value of the index register is used 
to select one element. (See figure 2-13, 
example 3.) 

• Based Indexed Mode with Displacement. 
The operand is located with the selected 
segment at an offset computed as the sum 
of a base register's contents, an index 
register's contents, and the displacement. 
This mode is often used to access 
elements of an array within a structure. 
For example, the structure could be an 
activation record (i.e., a region of the 
stack containing the register contents, 
parameters, and variables associated with 
one instance of a procedure); and one 
variable could be an array. The base 
register points to the start of the activa- 
tion record, the displacement expresses 
the distance from the start of the record 
to the beginning of the array variable, and 
the index register selects a particular 
element of the array. (See figure 2-13, 
example 4.) 

Table 2-3 gives a summary of all memory 
operand addressing options. 
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Figure 2-13. Complex Addressing Modes 
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Table 2-3. Memory Operand Addressing Modes 


Addressing Mode 


Offset Calculation 


Direct 


16-bit Displacement in the instruction 


Register Indirect 


BX, SI, Dl 


Based 


(BX or BP) + Displacement* 


Indexed 


(SI or Dl) + Displacement* 


Based Indexed 


(BX or BP) + (SI or Dl) 


Based Indexed + Displacement 


(BX or BP) + (SI or Dl) + Displacement* 



2.5 INPUT/OUTPUT 

The iAPX 286 allows input/output to be 
performed in either of two ways: by means of 
a separate I/O address space (using specific 
I/O instructions) or by means of memory- 
mapped I/O (using general-purpose operand 
manipulation instructions). 

2.5.1 I/O Address Space 

The iAPX 286 provides a separate I/O 
address space, distinct from physical memory, 
to address the input/output ports that are 
used for external devices. The I/O address 
space consists of 2 16 (64K) individually 
addressable 8-bit ports. Any two consecutive 
8-bit ports can be treated as a 16-bit port. 
Thus, the I/O address space can accommo- 
date up to 64K 8-bit ports or up to 32K 
16-bit ports. 

The iAPX 286 can transfer either 8 or 16 bits 
at a time to a device located in the I/O space. 
Like words in memory, 16-bit ports should be 
aligned at even-numbered addresses so that 
the 16 bits will be transferred in a single 
access. An 8-bit port may be located at either 
an even or odd address. The internal registers 
in a given peripheral controller device should 
be assigned addresses as shown below. 



The I/O instructions IN and OUT (described 
in section 3.11.3) are provided to move data 
between I/O ports and the AX (16-bit I/O) 
or AL (8-bit I/O) general registers. The block 
I/O instructions INS and OUTS (described 
in section 4.1) move blocks of data between 
I/O ports and memory space (as shown 
below). In Protected Mode, an operating 
system may prevent a program from execut- 
ing these I/O instructions. Otherwise, the 
function of the I/O instructions and the 
structure, of the I/O space are identical for 
both modes of operation. 



INS es : by te ptr [ d 1 ] , DX 
DUTS DX , byte ptr [all 



IN and OUT instructions address I/O with 
either a direct address to one of up to 256 port 
addresses, or indirectly via the DX register to 
one of up to 64K port addresses. Block I/O 
uses the DX register to specify the I/O 
address and either SI or Dl to designate the 
source or destination memory address. For 
each transfer, SI or Dl are either incre- 
mented or decremented as specified by the 
direction bit in the flag word while DX is 
constant to select the I/O device. 



Port Register 

16-bit 

8-bit; device on lower half 

of 1 6-bit data bus 

8-bit; device on upper half 

of 1 6-bit data bus 



Port Addresses 

even word addresses 
even byte addresses 

odd byte addresses 



Example 

OUT FE.AX 
IN AL.FE 

OUT FF.AL 
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2.5.2 Memory-Mapped I/O 

I/O devices also may be placed in the iAPX 
286 memory address space. So long as the 
devices respond like memory components, 
they are indistinguishable to the processor. 

Memory-mapped I/O provides additional 
programming flexibility. Any instruction that 
references memory may be used to access an 
I/O port located in the memory space. For 
example, the MOV instruction can transfer 
data between any register and a port; and the 
AND, OR, and TEST instructions may be 
used to manipulate bits in the internal regis- 
ters of a device (see figure 2-14). Memory- 
mapped I/O performed via the full instruc- 
tion set maintains the full complement of 
addressing modes for selecting the desired 
I/O device. 

Memory-mapped I/O, like any other memory 
reference, is subject to access protection and 
control when executing in protected mode. 

2.6 INTERRUPTS AND EXCEPTIONS 

The iAPX 286 architecture supports several 
mechanisms for interrupting program execu- 



tion. Internal interrupts are synchronous 
events that are the responses of the CPU to 
certain events detected during the execution 
of an instruction. External interrupts are 
asynchronous events typically triggered by 
external devices needing attention. The iAPX 
286 supports both maskable (controlled by the 
IF flag) and non-maskable interrupts. They 
cause the processor to temporarily suspend its 
present program execution in order to service 
the requesting device. The major distinction 
between these two kinds of interrupts is their 
origin: an internal interrupt is always repro- 
ducible by re-executing with the program and 
data that caused the interrupt, whereas an 
external interrupt is generally independent of 
the currently executing task. 



Application programmers will normally not be 
concerned with servicing external interrupts. 
More information on external interrupts for 
system programmers may be found in Chapter 
5, section 5.2, "Interrupt Handling for Real 
Address Mode," and in Chapter 9, "Inter- 
rupts, Traps and Faults for Protected Virtual 
Address Mode." 
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Figure 2-14. SVJemory-Mapped I/O 
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In Real Address Mode, the application 
programmer is affected by two kinds of inter- 
nal interrupts. (Internal interrupts are the 
result of executing an instruction which causes 
the interrupt.) One type of interrupt is called 
an exception because the interrupt only occurs 
if a particular fault condition exists. The other 
type of interrupt generates the interrupt every 
time the instruction is executed. 

The exceptions are: divide error, INTO 
detected overflow, bounds check, segment 
overrun, invalid operation code, and proces- 
sor extension error (see table 2-4). A divide 
error exception results when the instructions 
DIV or IDIV are executed with a zero 
denominator; otherwise, the quotient will be 
too large for the destination operand (see 
section 3.3.4 for a discussion of DIV and 
IDIV). An overflow exception results when 
the INTO instruction is executed and the OF 
flag is set (after an arithmetic operation that 
set the overflow (OF) flag). (See section 3.6.3, 
"Software Generated Interrupts," for a 
discussion of INTO.) A bounds check excep- 
tion results when the BOUND instruction is 
executed and the array index it checks falls 
outside the bounds of the array. (See section 
4.2 for a discussion of the BOUND instruc- 
tion.) The segment overrun exception occurs 
when a word memory reference is attempted 
which extends beyond the end of a segment. 



An invalid operation code exception occurs if 
an attempt is made to execute an undefined 
instruction operation code. A processor 
extension error is generated when a processor 
extension detects an illegal operation. Refer 
to Chapter 5 for a more complete description 
of these exception conditions. 

The instruction INT generates an internal 
interrupt whenever it is executed. The effects 
of this interrupt (and the effects of all inter- 
rupts) is determined by the interrupt handler 
routines provided by the application program 
or as part of the system software (provided 
by system programmers). See Chapter 5 for 
more on this topic. The INT instruction itself 
is discussed in section 3.6.3. 

In Protected Mode, many more fault condi- 
tions are detected and result in internal inter- 
rupts. Protected Mode interrupts and faults 
are discussed in Chapter 10. 

2.7 HIERARCHY OF INSTRUCTION SETS 

For descriptive purposes, the iAPX 286 
instruction set is partitioned into three distinct 
subsets: the Basic Instruction Set, the 
Extended Instruction Set, and the System 
Control Instruction Set. The "hierarchy" of 
instruction sets defined by this partitioning 
helps to clarify the relationships between the 
various processors in the iAPX 86 family (see 
figure 2-15). 



Table 2-4. iAPX 286 Exceptions 


Function 


Related Instructions 


Divide error exception 


DIV.IDIV 


INTO detected overflow exception 


INTO 


BOUND range exceeded exception 


BOUND 


Invalid opcode exception 


Any undefined opcode 


Segment overrun exception 


Word memory reference with offset = 
FFFF(H) or an attempt to execute past the 
end of a segment 


Processor extension error interrupt 


ESC or WAIT 
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The Basic Instruction Set, presented in 
Chapter 3, comprises the common subset of 
instructions found on all processors of the 
iAPX 86 family. Included are instructions for 
logical and arithmetic operations, data 
movement, input/output, string manipula- 
tion, and transfer of control. 

The Extended Instruction Set, presented in 
Chapter 4, consists of those instructions found 



only on the iAPX 186 and iAPX 286 proces- 
sors. Included are instructions for block 
structured procedure entry and exit, parame- 
ter validation, and block I/O transfers. 

The System Control Instruction Set, 
presented in Chapter 10, consists of those 
instructions unique to the iAPX 286. These 
instructions control the memory management 
and protection mechanisms of the iAPX 286. 




BASIC INSTRUCTION SET 



EXTENDED INSTRUCTION SET 



SYSTEM CONTROL INSTRUCTION SET 



Figure 2-15. Hierachy of Instructions 



2-25 



Basic Instruction Set 3 



CHAPTER 3 
BASIC INSTRUCTION SET 



The base architecture of the iAPX 286 is 
identical to the complete instruction set of the 
iAPX 86, 88, and 186 processors. The iAPX 
286 instruction set includes new forms of some 
instructions. These new forms reduce program 
size and improve the performance and ease of 
implementation of source coce. 

This chapter describes the instructions which 
programmers can use to write application 
software for the iAPX 286. The following 
chapters describe the operation of more 
complicated I/O and system control 
instructions. 

All instructions described in this chapter are 
available for both Real Address Mode and 
Protected Virtual Address Mode operation. 
The instruction descriptions note any differ- 
ences that exist between the operation of an 
instruction in these two modes. 

This chapter also describes the operation of 
each application program-relative instruction 
and includes an example of using the instruc- 
tion. The Instruction Dictionary in Appendix 
B contains formal descriptions of all instruc- 
tions. Any opcode pattern that is not described 
in the Instruction Dictionary results in an 
opcode violation trap (interrupt 6). 

3.1 DATA MOVEMENT INSTRUCTIONS 

These instructions provide convenient methods 
for moving bytes or words of data between 
memory and the registers of the base 
architecture. 



3.1.1 General-Purpose Data Movement 
Instructions 

MOV (Move) transfers a byte or a word from 
the source operand to the destination operand. 



The MOV instruction is useful for transfer- 
ring data to a register from memory, to 
memory from a register, between registers, 
immediate-to-register, or immediate-to- 
memory. Memory-to-memory or segment 
register-to-segment register moves are not 
allowed. 

Example: MOV DS,AX 

Replaces the contents of register 
DS with the contents of register 
AX. 

XCHG (Exchange) swaps the contents of two 
operands. This instruction takes the place of 
three MOV instructions. It does not require a 
temporary memory location to save the 
contents of one operand while you load the 
other. 

The XCHG instruction can swap two byte 
operands or two word operands, but not a byte 
for a word or a word for a byte. The operands 
for the XCHG instruction may be two regis- 
ter operands, or a register operand with a 
memory operand. 

Example: XCHG BX,WORDOPRND 

Swaps the contents of register BX 
with the contents of the memory 
word identified by the label 
WORDOPRND after asserting 
bus lock. 



3.1.2 Stack Manipulation Instructions 

PUSH (Push) decrements the stack pointer 
(SP) by two and then transfers a word from 
the source operand to the top of stack 
indicated by SP. See figure 3-1. PUSH is 
often used to place parameters on the stack 
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before calling a procedure; it is also the basic 
means of storing temporary variables on the 
stack. The PUSH instruction operates on 
memory operands, immediate memory 
operands (new with the iAPX 286), and 
register operands (including segment 
registers). 



Example: PUSH WORDOPRND 

Transfers a 1 6-bit value from the 
memory word identified by the 
label WORDOPRND to the 
memory location which repre- 
sents the current top of stack 
(byte transfers are not allowed). 



HIGH ADDRESS 



OPERANDS FROM 
PREVIOUS PUSH 
INSTRUCTIONS 



LOW ADDRESS 



auwftwvauuuv-u 



^r\ '-C 



AYCfflfflfflXWUHV 



■< SP ALWAYS POINTS TO 

THE LAST WORD PUSHED 
ONTO THE STACK (TOS) 



SS ALWAYS POINTS TO 
LOWEST ADDRESS USED BY 
THE STACK 



BEFORE 

PUSH OPERAND 



AFTER 

PUSH OPERAND 



PUSH decrements SP by 2 bytes and places the operand In the stack at the location to which SP points. 



Figure 3-1. PUSH 
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PUSHA (Push All Registers) saves the 
contents of the eight general registers on the 
stack. See figure 3-2. This instruction simpli- 
fies procedure calls by reducing the number 
of instructions required to retain the contents 
of the general registers for use in a proce- 
dure. PUSHA is complemented by POPA 
(see below). 



The processor pushes the general registers on 
the stack in the following order: AX, CX, DX, 
BX, the initial value of SP before AX was 
pushed, BP, SI, and DI. 

Example: PUSHA 

Pushes onto the stack the contents 
of the eight general registers. 



HIGH ADDRESS 

OPERANDS FROM 
PREVIOUS PUSH 
INSTRUCTIONS 



LOW ADDRESS 







-SP 



SS 



BEFORE 
PUSHA 



AFTER 
PUSHA 



PUSHA copies the contents of the eight general registers to the stack in the above order. The instruction decrements SP by 16 bytes 
(8 words) to point to the last word pushed on the stack. 



Figure 3-2. PUSHA 
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POP (Pop) transfers the word at the current 
top of stack (indicated by SP) to the desti- 
nation operand, and then increments SP by 
two to point to the new top of stack. See 
figure 3-3. POP moves information from the 
stack to either a register or memory. The only 
restriction on POP is that it cannot place a 
value in register CS. 



Example: POP BX 

Replaces the contents of register 
BX with the contents of the 
memory location at the top of 
stack. 

POPA (Pop All Registers) restores the 
registers saved on the stack by PUSHA, 



HIGH ADDRESS 

OPERANDS FROM 
PREVIOUS PUSH 
INSTRUCTIONS 



■wuww,;;;,:.;^^.: 



LOW ADDRESS 



IUW.UUW.UWW.UO 



SS LIMIT 



-< SP 



SS 



BEFORE 

POP OPERAND 



AFTER 

POP OPERAND 



POP copies the contents of the stack location before SP to the operand in the instruction. POP then increments SP by 2 bytes (1 word). 



Figure 3-3. POP 
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except that it ignores the value of SP. See 
figure 3-4. 

Example: POPA 

Pops from the stack the saved 
contents of the general registers, 
and restores the registers (except 
SP) to their original state. 

3.2 FLAG OPERATION WITH THE BASIC 
INSTRUCTION SET 

3.2.1 Status Flags 

The status flags of the FLAGS register reflect 
conditions that result from a previous 



instruction or instructions. The arithmetic 
instructions use OF, SF, ZF, AF, PF, and CF. 

The SCAS (Scan String), CMPS (Compare 
String), and LOOP instructions use ZF to 
signal that their operations are complete. The 
base architecture includes instructions to set, 
clear, and complement CF before execution 
of an arithmetic instruction. See figure 3-4a 
and tables 3-1 and 3-2. 

3.2.2 Control Flags 

The control flags of the FLAGS register 
determine processor operations for string 
instructions, maskable interrupts, and 
debugging. 



HIGH ADDRESS 



LOW ADDRESS 













AX 




CX 




DX 




BX 




SP 




BP 




SI 




Dl 






l. 


i ^. 















BEFORE 
POPA 



SS LIMIT 



AFTER 
POPA 



POPA copies the contents of seven stack locations to the corresponding general registers. POPA discards the stored value of SP. 



Figure 3-4. POPA 
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STATUS FLAGS: 

CARRY 

PARITY 

AUXILIARY CARRY 

ZERO 

SIGN 

OVERFLOW 



12 "11 



8 \< 7 "6 



T * 



Y 2 



" 



OF 



SF 



AF iH 



CONTROL FLAGS: 
TRAP FLAG 
INTERRUPT ENABLE 
DIRECTION FLAG 

SPECIAL FIELDS: 
I/O PRIVILEGE LEVEL 
NESTED TASK FLAG 



Figure 3-4a. Flag Word Contents 



Setting DF (direction flag) causes string 
instructions to auto-decrement; that is, to 
process strings from high addresses to low 
addresses, or from "right-to-left." Clearing 
DF causes string instructions to auto-incre- 
ment, or to process strings from "left-to- 
right." 

Setting IF (interrupt flag) allows the CPU to 
recognize external (maskable) interrupt 
requests. Clearing IF disables these inter- 
rupts. IF has no effect on either internally 
generated interrupts, nonmaskable external 
interrupts, or processor extension segment 
overrun interrupts. 

Setting TF (trap flag) puts the processor into 
single-step mode for debugging. In this mode, 
the CPU automatically generates an internal 
interrupt after each instruction, allowing a 



program to be inspected as it executes each 
instruction, instruction by instruction. 

3.3 ARITHMETIC INSTRUCTIONS 

The arithmetic instructions of the iAPX 86- 
family processors simplify the manipulation 
of numerical data. Multiplication and division 
instructions ease the handling of signed and 
unsigned binary integers as well as unpacked 
decimal integers. 

An arithmetic operation may consist of two 
register operands, a general register source 
operand with a memory destination operand, 
a memory source operand with a register 
destination operand, or an immediate field 
with either a register or memory destination 
operand, but not two memory operands. 
Arithmetic instructions can operate on either 
byte or word operands. 
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Table 3-1. Status Flags' Functions 



Bit 
Position 


Name 


Function 





CF 


Carry Flag— Set on high-order bit 
carry or borrow; cleared other- 
wise 


2 


PF 


Parity Flag — Set if low-order 
eight bits of result contain an 
even number of 1 bits; cleared 
otherwise 


4 


AF 


Set on carry from or borrow to 
the low order four bits of AL; 
cleared otherwise 


6 


ZF 


Zero Flag — Set if result is zero; 
cleared otherwise 


7 


SF 


Sign Flag — Set equal to high- 
order bit of result (0 if positive, 1 
if negative) 


11 


OF 


Overflow Flag — Set if result is 
too-large a positive number or 
too-small a negative number 
(excluding sign-bit) to fit in 
destination operand; cleared 
otherwise 



Table 3-2. Control Flags' Functions 



Bit 
Position 


Name 


Function 


8 


TF 


Single Step Flag — Once set, a 
single step interrupt occurs after 
the next instruction executes. TF 
is cleared by the single step 
interrupt. 


9 


IF 


Interrupt-enable Flag — When set, 
maskable interrupts will cause the 
CPU to transfer control to an 
interrupt vector-specified 
location. 


10 


DF 


Direction Flag — Causes string 
instructions to auto decrement 
the appropriate index registers 
when set. Clearing DF causes 
auto increment. 



3.3.1 Addition Instructions 

ADD (Add Integers) replaces the destination 
operand with the sum of the source and desti- 
nation operands. ADD affects OF, SF, AF, 
PF, CF, and ZF. 

Example: ADD BL, BYTEOPRND 

Adds the contents of the memory 
byte labeled BYTEOPRND to 
the contents of BL, and replaces 
BL with the resulting sum. 

ADC (Add Integers with Carry) sums the 
operands, adds one if CF is set, and replaces 
the destination operand with the result. ADC 
can be used to add numbers longer than 16 
bits. ADC affects OF, SF, AF, PF, CF, 
and ZF. 

Example: ADC BX, CX 

Replaces the contents of the 
destination operand BX with the 
sum of BX, CS, and 1 (if CF is 
set). If CF is cleared, ADC 
performs the same operation as 
the ADD instruction. 

INC (Increment) adds one to the destination 
operand. The processor treats the operand as 
an unsigned binary number. INC updates AF, 
OF, PF, SF, and ZF, but it does not affect 
CF. Use ADD with an immediate value of 1 
if an increment that updates carry (CF) is 
needed. 

Example: INC BL 

Adds 1 to the contents of BL. 



3.3.2 Subtraction Instructions 

SUB (Subtract Integers) subtracts the source 
operand from the destination operand and 
replaces the destination operand with the 
result. If a borrow, is required, carry flag is 



3-7 



BASIC INSTRUCTION SET 



set. The operands may be signed or unsigned 
bytes or words. SUB affects OF, SF, ZF, AF, 
PF, andCF. 

Example: SUB WORDOPRND, AX 

Replaces the contents of the des- 
tination operand WORDOPRND 
with the result obtained by 
subtracting the contents of AX 
from the contents of the memory 
word labeled WORDOPRND. 

SBB (Subtract Integers with Borrow) 
subtracts the source operand from the desti- 
nation operand, subtracts 1 if CF is set, and 
returns the result to the destination operand. 
The operands may be signed or unsigned bytes 
or words. SBB may be used to subtract 
numbers longer than 16 bits. This instruction 
affects OF, SF, ZF, AF, PF, and CF. The 
carry flag is set if a borrow is required. 

Example: SBB BL, 32 

Subtracts 32 from the contents of 
BL and then decrements the 
result of this subtraction by one if 
CF is set. If CF is cleared, SBB 
performs the same operation 
as SUB. 

DEC (Decrement) subtracts 1 from the desti- 
nation operand. DEC updates AF, OF, PF, 
SF, and ZF, but it does not affect CF. Use 
SUB with an immediate value of 1 to perform 
a decrement that affects carry. 

Example: DEC BX 

Subtracts 1 from the contents of 
BX and places the result back 
in BX. 

3.3.3 Multiplication Instructions 

MUL (Unsigned Integer Multiply) performs 
an unsigned multiplication of the source 



operand and the accumulator. If the source is 
a byte, the processor multiplies it by the 
contents of AL and returns the double-length 
result to AH and AL. 

If the source operand is a word, the processor 
multiplies it by the contents of AX and 
returns the double-length result to DX and 
AX. MUL sets CF and OF to indicate that 
the upper half of the result is nonzero; other- 
wise, they are cleared. This instruction leaves 
SF, ZF, AF, and PF undefined. 

Example: MUL BX 

Replaces the contents of DX and 
AX with the product of BX and 
AX. The low-order 1 6 bits of the 
result replace the contents of AX; 
the high-order word goes to DX. 
The processor sets CF and OF if 
the unsigned result is greater than 
16 bits. 

IMUL (Signed Integer Multiply) performs a 
signed multiplication operation. IMUL uses 
AX and DX in the same way as the MUL 
instruction, except when used in the immedi- 
ate form. 

The immediate form of IMUL allows the 
specification of a destination register other 
than the combination of DX and AX. In this 
case, the result cannot exceed 16 bits without 
causing an overflow. If the immediate operand 
is a byte, the processor automatically extends 
it to 16 bits before performing the 
multiplication. 

The immediate form of IMUL may also be 
used with unsigned operands because the low 
16 bits of a signed or unsigned multiplication 
of two 16-bit values will always be the same. 

IMUL clears CF and OF to indicate that the 
upper half of the result is the sign of the lower 
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half. This instruction leaves SF, ZF, AF, and 
PF undefined. 

Example: IMUL BL 

Replaces the contents of AX with 
the product of BL and AL. The 
processor sets CF and OF if the 
result is more than 8 bits long. 

Example: IMUL BX, SI, 5 

Replaces the contents of BX with 
the product of the contents of SI 
and an immediate value of 5. The 
processor sets CF and OF if the 
signed result is longer than 
16 bits. 

3.3.4 Division Instructions 

DIV (Unsigned Integer Divide) performs an 
unsigned division of the accumulator by the 
source operand. If the source operand is a 
byte, it is divided into the double-length 
dividend assumed to be in registers AL and 
AH (AH = most significant byte; AL = 
least significant byte). The single-length 
quotient is returned in AL, and the single- 
length remainder is returned in AH. 

If the source operand is a word, it is divided 
into the double-length dividend in registers 
AX and DX. The single-length quotient is 
returned in AX, and the single-length 
remainder is returned in DX. Non-integral 
quotients are truncated to integers toward 0. 
The remainder is always less than the 
quotient. 

For unsigned byte division, the largest 
quotient is 255. For unsigned word division, 
the largest quotient is 65,535. DIV leaves OF, 
SF, ZF, AF, PF, and CF undefined. Inter- 
rupt (INT 0) occurs if the divisor is zero or 
if the quotient is too large for AL or AX. 



Example: DIV BX 

Replaces the contents of AX with 
the unsigned quotient of the 
doubleword value contained in 
DX and AX, divided by BX. The 
unsigned modulo replaces the 
contents of DX. 

Example: DIV BL 

Replaces the contents of AL with 
the unsigned quotient of the word 
value in AX, divided by BL. The 
unsigned modulo replaces the 
contents of AH. 

IDIV (Signed Integer Divide) performs a 
signed division of the accumulator by the 
source operand. IDIV uses the same registers 
as the DIV instruction. 

For signed byte division, the maximum 
positive quotient is +127 and the minimum 
negative quotient is —128. For signed word 
division, the maximum positive quotient is 
+ 32,767 and the minimum negative quotient 
is —32,768. Non-integral results are 
truncated towards 0. The remainder will 
always have the same sign as the dividend and 
will be less than the divisor in magnitude. 
IDIV leaves OF, SF, ZF, AF, PF, and CF 
undefined. A division by zero causes an inter- 
rupt (INT 0) to occur if the divisor is or if 
the quotient is too large for AL or AX. 

Example: IDIV WORDOPRND 

Replaces the contents of AX with 
the signed quotient of the double- 
word value contained in DX and 
AX, divided by the value 
contained in the memory word 
labeled WORDOPRND. The 
signed modulo replaces the 
contents of DX. 
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3.4 LOGICAL INSTRUCTIONS 

The group of logical instructions includes the 
Boolean operation instructions, rotate and 
shift instructions, type conversion instruc- 
tions, and the no-operation (NOP) 
instruction. 



3.4.1 Boolean Operation Instructions 

Except for the NOT and NEG instructions, 
the Boolean operation instructions can use two 
register operands, a general purpose register 
operand with a memory operand, an immedi- 
ate operand with a general purpose register 
operand, or a memory operand. The NOT and 
NEG instructions are unary operations that 
use a single operand in a register or memory. 

AND (And) performs the logical "and" of the 
operands (byte or word) and returns the result 
to the destination operand. AND clears OF 
and DF, leaves AF undefined, and updates 
SF, ZF, and PF. 

Example: AND WORDOPRND, BX 

Replaces the contents of 
WORDOPRND with the logical 
"and" of the contents of 
the memory word labeled 
WORDOPRND and the contents 
ofBX. 

NOT (Not) inverts the bits in the specified 
operand to form a one's complement of the 
operand. NOT has no effect on the flags. 

Example: NOT BYTEOPRND 

Replaces the original contents of 
BYTEOPRND with the one's 
complement of the contents of 
the memory word labeled 
BYTEOPRND. 



OR (Or) performs the logical "inclusive or" 
of the two operands and returns the result to 
the destination operand. OR clears OF and 
DF, leaves AF undefined, and updates SF, 
ZF, and PF. 

Example: OR AL,5 

Replaces the original contents of 
AL with the logical "inclusive or" 
of the contents of AL and the 
immediate value 5. 

XOR (Exclusive OR) performs the logical 
"exclusive or" of the two operands and returns 
the result to the destination operand. XOR 
clears OF and DF, leaves AF undefined, and 
updates SF, ZF, and PF. 

Example: XOR DX, WORDOPRND 

Replaces the original contents of 
DX with the logical "exclusive or" 
or the contents of DX and the 
contents of the memory word 
labeled WORDOPRND. 

NEG (Negate) forms a two's complement of 
a signed byte or word operand. The effect of 
NEG is to reverse the sign of the operand 
from positive to negative or from negative to 
positive. NEG updates OF, SF, ZF, AF, PF, 
and CF. 

Example: NEG AX 

Replaces the original contents of 
AX with the two's complement of 
the contents of AX. 

3.4.2 Shift and Rotate Instructions 

The shift and rotate instructions reposition the 
bits within the specified operand. The shift 
instructions provide a convenient way to 
accomplish division or multiplication by 
binary power. The rotate instructions are 
useful for bit testing. 
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3.4.2.1 SHIFT INSTRUCTIONS 

The bits in bytes and words may be shifted 
arithmetically or logically. Depending on the 
value of a specified count, up to 31 shifts may 
be performed. 

A shift instruction can specify the count in 
one of three ways. One form of shift instruc- 
tion implicitly specifies the count as a single 
shift. The second form specifies the count as 
an immediate value. The third form specifies 
the count as the value contained in CL. This 
last form allows the shift count to be a 
variable that the program supplies during 
execution. 

Shift instructions affect the flags as follows. 
AF is always undefined following a shift 
operation. PF, SF, and ZF are updated 
normally as in the logical instructions. 

CF always contains the value of the last bit 
shifted out of the destination operand. In a 
single-bit shift, OF is set if the value of the 
high-order (sign) bit was changed by the 
operation. Otherwise, OF is cleared. Follow- 
ing a multibit shift, however, the content of 
OF is always undefined. 

SAL (Shift Arithmetic Left) shifts the desti- 
nation byte or word operand left by one or by 
the number of bits specified in the count 
operand (an immediate value or the value 



contained in CL). The processor shifts zeros 
in from the right side of the operand as bits 
exit from the left side. See figure 3-5. 

Example: SAL BL,2 

Shifts the contents of BL left by 
2 bits and replaces the two low- 
order bits with zeros. 

Example: SAL BL,1 

Shifts the contents of BL left by 
1 bit and replaces the low-order 
bit with a zero. Because the 
processor does not have to decode 
the immediate count operand to 
obtain the shift count, this form 
of the instruction takes 2 clock 
cycles rather than the 6 clock 
cycles (5 cycles + 1 cycle for 
each bit shifted) required by the 
previous example. 

SHL (Shift Logical Left) is physically the 
same instruction as SAL (see SAL above). 

SHR (Shift Logical Right) shifts the desti- 
nation byte or word operand right by one or 
by the number of bits specified in the count 
operand (an immediate value or the value 
contained in CL). The processor shifts zeros 
in from the left side of the operand as bits 
exit from the right side. See figure 3-6. 
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SAL OR 
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AFTER 
SAL OR 
SHL BY 
8 BITS 



Both SAL and SHL shift the bits in the register or memory operand to the left by the specified number of bit positions. CF receives the 
last bit shifted out of the left of the operand. SAL and SHL shift in zeros to fill the vacated bit locations. These instructions operate on 
byte operands as well as word operands. 



Figure 3-5. SAL and SHL 
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Example: SHR BYTEOPRND, CL 

Shifts the contents of the memory 
byte labeled BYTEOPRND right 
by the number of bits specified in 
CL, and pads the left side of 
BYTEOPRND with an equal 
number of zeros. 

SAR (Shift Arithmetic Right) shifts the 
destination byte or word operand to the right 
by one or by the number of bits specified in 
the count operand (an immediate value or the 
value contained in CL). The processor 



preserves the sign of the operand by shifting 
in zeros on the left side if the value is positive 
or by shifting by ones if the value is negative. 
See figure 3-7. 



Example: SAR WORDPRND,l 

Shifts the contents of the memory 
byte labeled WORDPRND right 
by one, and replaces the high- 
order sign bit with a value equal 
to the original sign of 
WORDPRND. 
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SHR shifts the bits In the register or memory operand to the right by the specified number of bit positions. CF receives the last bit shifted 
out of the right of the operand. SHR shifts in zeros to fill the vacated bit locations. This instruction operates on byte operands as well as 
word operands. 



Figure 3-6. SHR 
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SAR preserves the sign of the register or memory operand as it shifts the operand to the right the specified number of bit positions. CF 
receives the last bit shifted out of the right of the operand. This instruction also operates on byte operands. 



Figure 3-7. SAR 
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3.4.2.2 ROTATE INSTRUCTIONS 

Rotate instructions allow bits in bytes and 
words to be rotated. Bits rotated out of an 
operand are not lost as in a shift, but are 
"circled" back into the other "end" of the 
operand. 

Rotates affect only the carry and overflow 
flags. CF may act as an extension of the 
operand in two of the rotate instructions, 
allowing a bit to be isolated and then tested 
by a conditional jump instruction (JC or 
JNC). CF always contains the value of the 
last bit rotated out, even if the instruction does 
not use this bit as an extension of the rotated 
operand. 

In single-bit rotates, OF is set if the operation 
changes the high-order (sign) bit of the desti- 
nation operand. If the sign bit retains its 



original value, OF is cleared. On multibit 
rotates, the value of OF is always undefined. 

ROL {Rotate Left) rotates the byte or word 
destination operand left by one or by the 
number of bits specified in the count operand 
(an immediate value or the value contained 
in CL). For each rotation specified, the high- 
order bit that exists from the left of the 
operand returns at the right to become the 
new low-order bit of the operand. See 
figure 3-8. 

Example: ROL AL, 8 

Rotates the contents of AL left by 
8 bits. This rotate instruction 
returns AL to its original state but 
isolates the low-order bit in CF 
for testing by a JC or JNC 
instruction. 
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ROL shifts the bits In the memory or register operand to the left by the specified number of bit positions. It copies the bit shifted out of 
the left of the operand into the right of the operand. The last bit shifted into the least significant bit of the operand also appears in CF. 
This instruction also operates on byte operands. 



Figure 3-8. ROL 
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ROR (Rotate Right) rotates the byte or word 
destination operand right by one or by the 
number of bits specified in the count operand 
(an immediate value or the value contained 
in CL). For each rotation specified, the low- 
order bit that exits from the right of the 
operand returns at the left to become the new 
highrorder bit of the operand. See 
figure 3-9. 



Example: ROR WORDOPRND, CL 

Rotates the contents of 
the memory word labeled 
WORDOPRND by the number 
of bits specified by the value 
contained in CL. CF reflects the 
value of the last bit rotated from 
the right to the left side of the 
operand. 
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AFTER ROR BY 8 BITS 



CF 



ROR shifts the bits In the memory or register operand to the right by the specified number of bit positions. It copies each bit shifted out 
of the right of the operand into the left of the operand. The last bit shifted into the most significant bit of the operand also appears in 
CF. This instruction also operates on byte operands. 



Figure 3-9. ROR 
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RCL (Rotate Through Carry Left) rotates bits 
in the byte or word destination operand left 
by one or by the number of bits specified in 
the count operand (an immediate value or the 
value contained in CL). 

This instruction differs form ROL in that it 
treats CF as a high-order 1-bit extension of 
the destination operand. Each high-order bit 
that exits from the left side of the operand 
moves to CF before it returns to the operand 



as the low-order bit on the next rotation cycle. 
See figure 3-10. 

Example: RCL BX,1 

Rotates the contents of BX left by 
one bit. The high-order bit of the 
operand moves to CF, the 
remaining 15 bits move left one 
position, and the original value of 
CF becomes the new low-order 
bit. 
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AFTER RCL BY 16 BITS 



CF 



RCL rotates the bits In the memory or register operand to the left In the same way as ROL except that RCL treats CF as a 1-bit extension 
of the operand. Note that a 16-blt RCL produces the same result as a 1-bit RCR (though it takes much longer to execute). This instruction 
also operates on byte operands. 



Figure 3-10. RCL 
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RCR (Rotate Through Carry Right) rotates 
bits in the byte or word destination operand 
right by one or by the number of bits speci- 
fied in the count operand (an immediate value 
or the value contained in CL). 



This instruction differs from ROR in that it 
treats CF as a low-order 1-bit extension of the 
destination operand. Each low-order bit that 
exits from the right side of the operand moves 
to CF before it returns to the operand as the 



high-order bit on the next rotation cycle. See 
figure 3-11. 

Example: RCR BYTEOPRND,3 

Rotates the contents of the 
memory byte labeled 

BYTEOPRND to the right by 3 
bits. Following the execution of 
this instruction, CF reflects the 
original value of bit number 5 of 
BYTEOPRND, and the original 
value of CF becomes bit 2. 
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RCR rotates the bits In the memory or register operand to the right In the same way as ROR except that RCR treats CF as a 1-bit extension 
of the operand. This instruction also operates on byte operands. 



Figure 3-11. RCR 
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3.4.3 Type Conversion and No-Operation 
Instructions 

The type conversion instructions prepare 
operands for division. The NOP instruction is 
a 1-byte filler instruction with no effect on 
registers or flags. 

CWD (Convert Word to Double-Word) 
extends the sign of the word in register AX 
throughout register DX. CWD does not affect 
any flags. CWD can be used to produce a 
double-length (double-word) dividend from a 
word before a word division. 

CBW (Convert Byte to Word) extends the sign 
of the byte in register AL throughout AX. 
CBW does not affect any flags. 

Example: CWD 

Sign-extends the 16-bit value in 
AX to a 32-bit value in DX and 
AX with the high-order 16-bits 
occupying DX. 

NOP (No Operation) occupies a byte of 
storage but affects nothing but the instruc- 
tion pointer, IP. The amount of time that a 
NOP instruction requires for execution varies 
in proportion to the CPU clocking rate. This 
variation makes it inadvisable to use NOP 
instructions in the construction of timing loops 
because the operation of such a program will 
not be independent of the system hardware 
configuration. 

Example: NOP 

The processor performs no opera- 
tion for 2 clock cycles. 

3.5 TEST AND COMPARE INSTRUCTIONS 

The test and compare instructions are similar 
in that they do not alter their operands. 
Instead, these instructions perform opera- 
tions that only set the appropriate flags to 
indicate the relationship between the two 
operands. 



TEST (Test) performs the logical "and" of 
the two operands, clears OF and DF, leaves 
AF undefined, and updates SF, ZF, and PF. 
The difference between TEST and AND is 
that TEST does not alter the destination 
operand. 

Example: TEST BL,32 

Performs a logical "and" and sets 
SF, ZF, and PF according to the 
results of this operation. The 
contents of BL remain 
unchanged. 

CMP (Compare) subtracts the source operand 
from the destination operand. It updates OF, 
SF, ZF, AF, PF, and CF but does not alter 
the source and destination operands. A subse- 
quent signed or unsigned conditional transfer 
instruction can test the result using the 
appropriate flag result. 

CMP can compare two register operands, a 
register operand and a memory operand, a 
register operand and an immediate operand, 
or an immediate operand and a memory 
operand. The operands may be words or bytes, 
but CMP cannot compare a byte with a word. 

Example: CMP BX,32 

Subtracts the immediate operand, 
32, from the contents of BX and 
sets OF, SF, ZF, AF, PF, and CF 
to reflect the result. The contents 
of BX remain unchanged. 

3.6 CONTROL TRANSFER INSTRUCTIONS 

The iAPX 286 provides both conditional and 
unconditional program transfer instructions to 
direct the flow of execution. Conditional 
program transfers depend on the results of 
operations that affect the flag register. 
Unconditional program transfers are always 
executed. 
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3.6.1 Unconditional Transfer Instructions 

JMP, CALL, RET, INT and IRET instruc- 
tions transfer control from one code segment 
location to another. These locations can be 
within the same code segment or in different 
code segments. 

3.6.1.1 JUMP INSTRUCTION 

JMP (Jump) unconditionally transfers control 
to the target location. JMP is a one-way 
transfer of execution; it does not save a return 
address on the stack. 

The JMP instruction always performs the 
same basic function of transferring control 
from the current location to a new location. 
Its implementation varies depending on the 
following factors: 

• Is the address specified directly within the 
instruction or indirectly through a regis- 
ter or memory. 

• Is the target location inside or outside the 
current code segment selected in CS? 

A direct JMP instruction includes the desti- 
nation address as part of the instruction. An 
indirect JMP instruction obtains the destina- 
tion address indirectly through a register or a 
pointer variable. 

Control transfers through a gate or to a task 
state segment are available only in Protected 
Mode operation of the iAPX 286. The formats 
of the instructions that transfer control 
through a call gate, a task gate, or to a task 
state segment are the same. The label 
included in the instruction selects one of these 
three paths to a new code segment. 

Direct JMP within the current code segment. 
A direct JMP that transfers control to a target 
location within the current code segment uses 
a relative displacement value contained in the 
instruction. This can be either a 16-bit value 



or an 8-bit value sign extended to 16 bits. The 
processor forms an effective address by adding 
this relative displacement to the address 
contained in IP. IP refers to the next instruc- 
tion when the additions are performed. 

Example: JMP NEAR_NEWCODE 

Transfers control to the 
target location labeled 

NEAR_NEWCODE, which is 
within the code segment currently 
selected in CS. 

Indirect JMP within the current code 
segment. Indirect JMP instructions that 
transfer control to a location within the 
current code segment specify an absolute 
address in one of several ways. First, the 
program can JMP to a location specified by 
a 16-bit register (any of AX, DX, CX, BX, 
BP, SI, or DI). The processor moves this 16- 
bit value into IP and resumes execution. 

Example: JMP SI 

Transfers control to the target 
address formed by adding the 16- 
bit value contained in SI to the 
base address contained in CS. 

The processor can also obtain the destination 
address within a current segment from a 
memory word operand specified in the 
instruction. 

Example: JMP PTR_X 

Transfers control to the target 
address formed by adding the 16- 
bit value contained in the memory 
word labeled PTR X to the base 
address contained in CS. 

A register can modify the address of the 
memory word pointer to select a destination 
address. 
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Example: JMP CASE_TABLE [BX] 

CASE_TABLE is the first word 
in an array of word pointers. The 
value of BX determines which 
pointer the program selects from 
the array. The JMP instruction 
then transfers control to the 
location specified by the selected 
pointer. 



this differently, 
and 7). 



See Chapters 6 



Direct JMP outside of the current code 
segment to a call gate. If the selector included 
with the instruction refers to a call gate, then 
the processor ignores the offset in the instruc- 
tion and takes the pointer of the routine being 
entered from the call gate. 



Direct JMP outside of the current code 
segment. Direct JMP instructions that specify 
a target location outside the current code 
segment contain a full 32-bit pointer. This 
pointer consists of a selector for the new code 
segment and an offset within the new 
segment. 

Example: JMP FAR_NEWCODE_FOO 

Places the selector contained in 
the instruction into CS and the 
offset into IP. The program 
resumes execution at this location 
in the new code segment. 

Indirect JMP outside of the current code 
segment. Indirect JMP instructions that 
specify a target location outside the current 
code segment use a double-word variable to 
specify the pointer. 

Example: JMP NEWCODE 

NEWCODE the first word of two 
consecutive words in memory 
which represent the new pointer. 
NEWCODE contains the new 
offset for IP and the word follow- 
ing NEWCODE contains the 
selector for CS. The program 
resumes execution at this location 
in the new code segment. 
(Protected mode programs treat 



JMP outside of current code segment may 
only go to the same level. 

Example: JMP CALL_GATE_FOO 

The selector in the instruction 
refers to the call gate 
CALL_GATE_FOO, and the call 
gate actually provides the new 
contents of CS and IP to specify 
the address of the next 
instructions. 

Indirect JMP outside the current code 
segment to a call gate. If the selector speci- 
fied by the instruction refers to a call gate, 
the processor ignores the offset in the double- 
word and takes the address of the routine 
being entered from the call gate. The JMP 
instruction uses the same format to indirectly 
specify a task gate or a task state segment. 

Example: JMP CASE_TABLE [BX] 

The instruction refers to the 
double-word in the array of 
pointers called CASE_TABLE. 
The specific double-word chosen 
depends on the value in BX when 
the instruction executes. The 
selector portion of this double- 
word selects a call gate, and the 
processor takes the address of the 
routine being entered from the 
call gate. 
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3.6.1.2 CALL INSTRUCTION 
CALL (Call Procedure) activates an out-of- 
line procedure, saving on the stack the address 
of the instruction following the CALL for 
later use by a RET (Return) instruction. An 
intrasegment CALL places the current value 
of IP on the stack. An intersegment CALL 
places both the value of IP and CS on the 
stack. The RET instruction in the called 
procedure uses this address to transfer control 
back to the calling program. 

A long CALL instruction that invokes a task- 
switch stores the outgoing task's task state 
segment selector in the incoming task state 
segment's link field and sets the nested task 
flag in the new task. In this case, the IRET 
instruction takes the place of the RET 
instruction to return control to the nested task. 

Examples: 

CALL NEAR_NEWCODE 
CALL SI 
CALL PTR_X 
CALL CASE_TABLE [BP] 
CALL FAR_NEWCODE_FOO 
CALL NEWCODE 
CALL CALL_GATE_FOO 
CALL CASE_TABLE [BX] 

See the previous treatment of JMP for a 
discussion of the operations of these 
instructions. 



3.6.1.3 RETURN AND RETURN FROM INTERRUPT 
INSTRUCTION 

RET (Return From Procedure) terminates the 
execution of a procedure and transfers control 
through a back-link on the stack to the 
program that originally invoked the 
procedure. 

An intrasegment RET restores the value of 
IP that was saved on the stack by the previous 



intrasegment CALL instruction. An inter- 
segment RET restores the values of both CS 
and IP which were saved on the stack by the 
previous intersegment CALL instruction. 

RET instructions may optionally specify a 
constant to the stack pointer. This constant 
specifies the new top of stack to effectively 
remove any arguments that the calling 
program pushed on the stack before the 
execution of the CALL instruction. 

Example: RET 

If the previous CALL instruction 
did not transfer control to a new 
code segment, RET restores the 
value of IP pushed by the CALL 
instruction. If the previous CALL 
instruction transferred control to 
a new segment, RET restores the 
values of both IP and CS which 
were pushed on the stack by the 
CALL instruction. 

Example: RET n 

This form of the RET instruction 
performs identically to the above 
example except that it adds n 
(must be an even value) to the 
value of SP to eliminate 8 bytes 
of parameter information previ- 
ously pushed by the calling 
program. 

IRET (Return From Interrupt or Nested 
Task) returns control to an interrupted 
routine or, optionally, reverses the action of a 
CALL or INT instruction that caused a task 
switch. See Chapter 8 for further information 
on task switching. 

Example: IRET 

Returns from an interrupt with or 
without a task-switch based on the 
value of the NT bit. 
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3.6.2 Conditional Transfer Instructions 

The conditional transfer instructions are 
jumps that may or may not transfer control, 
depending on the state of the CPU flags when 
the instruction executes. The target for all 
conditional jumps must be in the current code 
segment and within —128 to +127 bytes of 
the first byte of the next instruction. 

3.6.2.1 CONDITIONAL JUMP INSTRUCTIONS 

Table 3-3 shows the conditional transfer 
mnemonics and their interpretations. The 
conditional jumps that are listed as pairs are 
actually the same instruction. The instruction 
set provides the alternate mnemonics for 
greater clarity within a program listing. 

3.6.2.2 LOOP INSTRUCTIONS 

The loop instructions are conditional jumps 
that use a value placed in CX to specify the 



number of repetitions of a software loop. All 
loop instructions automatically decrement CX 
and terminate the loop when CX=0. Four of 
the five loop instructions specify a condition 
of ZF that terminates the loop before CX 
decrements to zero. 

LOOP (Loop While CX Not Zero) is a condi- 
tional transfer that auto-decrements the CX 
register before testing CX for the branch 
condition. If CX is non-zero, the program 
branches to the target label specified in the 
instruction. The LOOP instruction causes the 
repetition of a code section until the opera- 
tion of the LOOP instruction decrements CX 
to a value of zero. If LOOP finds CX = 0, 
control transfers to the instruction immedi- 
ately following the LOOP instruction. If the 
value of CX is initially zero, then the LOOP 
executes 65536 times. 



Table 3-3. Interpretation of Conditional Transfers 



Unsigned Conditional Transfers 


Mnemonic 


Condition Tested 


"Jump If. . ." 


JA/JNBE 


(CF or ZF) = 


above/not below nor equal 


JAE/JNB 


CF = 


above or equal/not below 


JB/JNAE 


CF = 1 


below/not above nor equal 


JBE/JNA 


(CF or ZF) = 1 


below or equal/not above 


JC 


CF= 1 


carry 


JE/JZ 


ZF= 1 


equal/zero 


JNC 


CF = 


not carry 


JNE/JNZ 


ZF = 


not equal/not zero 


JNP/JPO 


PF = 


not parity/parity odd 


JP/JPE 


PF = 1 


parity/parity even 


Signed Conditional Transfers 


Mnemonic 


Condition Tested 


"Jump If. . ." 


JG/JNLE 


((SF xor OF) or ZF) = 


greater/not less nor equal 


JGE/JNL 


(SF xor OF) = 


greater or equal/not less 


JL/JNGE 


(SF xor OF) = 


less/not greater nor equal 


JLE/JNG 


((SF xor OF) or ZF) = 1 


less or equal/not greater 


JNO 


OF = 


not overflow 


JNS 


SF = 


not sign 


JO 


OF= 1 


overflow 


JS 


SF= 1 


sign 
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Example: LOOP START_LOOP 

Each time the program encoun- 
ters this instruction, it decre- 
ments CX and then tests it. If the 
value of CX is non-zero, then the 
program branches to the instruc- 
tion labeled START_LOOP. If 
the value in CX is zero, then the 
program continues with the 
instruction that follows the LOOP 
instruction. 



LOOPE (Loop While Equal) and LOOPZ 
(Loop While Zero) are physically the same 
instruction. These instructions auto-decre- 
ment the CX register before testing CX and 
ZF for the branch conditions. If CX is non- 
zero and ZF= 1, the program branches to the 
target label specified in the instruction. If 
LOOPE or LOOPZ finds that CX=0 or 
ZF=0, control transfers to the instruction 
immediately succeeding the LOOPE or 
LOOPZ instruction. 

Example: LOOPE START_LOOP (or 
LOOPZ START.LOOP) 

Each time the program encoun- 
ters this instruction, it decre- 
ments CX and tests CX and ZF. 
If the value in CX is non-zero and 
the value of ZF is 1, the program 
branches to the instruction labeled 
START_LOOP. If CX = or 
ZF = 0, the program continues 
with the instruction that follows 
the LOOPE (or LOOPZ) 
instruction. 



is non-zero and ZF=0, the program branches 
to the target label specified in the instruction. 
If LOOPNE or LOOPNZ finds that CX=0 
or ZF= 1, control transfers to the instruction 
immediately succeeding the LOOPNE or 
LOOPNZ instruction. 



Example: LOOPNE START_LOOP (or 
LOOPNZ START_LOOP) 

Each time the program encoun- 
ters this instruction, it decre- 
ments CX and tests CX and ZF. 
If the value of CX is non-zero and 
the value of ZF is 0, the program 
branches to the instruction labeled 
START_LOOP. If CX = or 
ZF=1, the program continues 
with the instruction that follows 
the LOOPNE (or LOOPNZ) 
instruction. 



3.6.2.3 EXECUTING A LOOP OR REPEAT 
ZERO TIMES 

JCXZ (Jump if CX Zero) branches to the 
label specified in the instruction if it finds a 
value of zero in CX. Sometimes, it is desira- 
ble to design a loop that executes zero times 
if the count variable in CX is initialized to 
zero. Because the loop instructions (and 
repeat prefixes) decrement CX before they 
test it, a loop will execute 65536 times if the 
program enters the loop with a zero value in 
CX. A programmer may conveniently 
overcome this problem with JCXZ, which 
enables the program to branch around the 
code within the loop if CX is zero when JCXZ 
executes. 



LOOPNE (Loop While Not Equal) and 
LOOPNZ (Loop While Not Zero) are physi- 
cally the same instruction. These instructions 
auto-decrement the CX register before testing 
CX and ZF for the branch conditions. If CX 



Example: JCXZ TARGETLABEL 

Causes the program to branch 
to the instruction labeled 
TARGETLABEL if CX=0 when 
the instruction executes. 
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3.6.3 Software-Generated Interrupts 

The INT and INTO instructions allow the 
programmer to specify a transfer to an inter- 
rupt service routine from within a program. 

3.6.3.1 SOFTWARE INTERRUPT INSTRUCTION 

INT (Software Interrupt) activates the inter- 
rupt service routine that corresponds to the 
number coded within the instruction. Inter- 
rupt type 3 is reserved for internal software- 
generated interrupts. However, the INT 
instruction may specify any interrupt type to 
allow multiple types of internal interrupts or 
to test the operation of a service routine. The 
interrupt service routine terminates with an 
IRET instruction that returns control to the 
instruction that follows INT. 

Example: INT 3 

Transfers control to the interrupt 
service routine specified by a type 
3 interrupt. 

Example: INT 

Transfers control to the interrupt 
service routine specified by a type 
interrupt, which is reserved for 
a divide error. 

INTO (Interrupt on Overflow) invokes a type 
4 interrupt if OF is set when the INTO 
instruction executes. The type 4 interrupt is 
reserved for this purpose. 

Example: INTO 

If the result of a previous opera- 
tion has set OF and no interven- 
ing operation has reset OF, then 
INTO invokes a type 4 interrupt. 
The interrupt service routine 
terminates with an IRET instruc- 
tion, which returns control to the 
instruction following INTO. 



3.7 CHARACTER TRANSLATION AND 
STRING INSTRUCTIONS 

The instructions in this category operate on 
characters or string elements rather than on 
logical or numeric values. 

3.7.1 Translate Instruction 

XL AT (Translate) replaces a byte in the AL 
register with a byte from a user-coded trans- 
lation table. When XLAT is executed, AL 
should have the unsigned index to the table 
addressed by BX. XLAT changes the contents 
of AL from table index to table entry. BX is 
unchanged. The XLAT instruction is useful 
for translating from one coding system to 
another such as from ASCII to EBCDIC. The 
translate table may be up to 256 bytes long. 
The value placed in the AL register serves as 
an index to the location of the corresponding 
translation value. Used with a LOOP instruc- 
tion, the XLAT instruction can translate a 
block of codes up to 64K bytes long. 

Example: XLAT 

Replaces the byte in AL with the 
byte from the translate table that 
is selected by the value in AL. 

3.7.2 String Manipulation Instructions and 
Repeat Prefixes 

The string instructions (also called primi- 
tives) operate on string elements to move, 
compare, and scan byte or word strings. One- 
byte repeat prefixes can cause the operation 
of a string primitive to be repeated to process 
strings as long as 64K bytes. 

The repeated string primitives use the direc- 
tion flag, DF, to specify left-to-right or right- 
to-left string processing, and use a count in 
CX to limit the processing operation. These 
instructions use the register pair DS:SI to 
point to the source string element and the 
register pair ES:DI to point to the 
destination. 
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One of two possible opcodes represent each 
string primitive, depending on whether it is 
operating on byte strings or word strings. The 
string primitives are generic and require one 
or more operands along with the primitive to 
determine the size of the string elements being 
processed. These operands do not determine 
the addresses of the strings; the addresses 
must already be present in the appropriate 
registers. 

Each repetition of a string operation using the 
Repeat prefixes includes the following steps: 

1. Acknowledge pending interrupts. 

2. Check CX for zero and stop repeating if 
CX is zero. 

3. Perform the string operation once. 

4. Adjust the memory pointers in DS:SI and 
ES:DI by incrementing SI and DI if DF 
is or by decrementing SI and DI if DF 
is 1. 

5. Decrement CX (this step does not affect 
the flags). 

6. For SCAS (Scan String) and CMPS 
(Compare String), check ZF for a match 
with the repeat condition and stop 
repeating if the ZF fails to match. 

The Load String and Store String instruc- 
tions allow a program to perform arithmetic 
or logical operations on string characters 
(using AX for word strings and AL for byte 
strings). Repeated operations that include 
instructions other than string primitives must 
use the loop instructions rather than a repeat 
prefix. 

3.7.2.1 STRING MOVEMENT INSTRUCTIONS 

REP (Repeat While CX Not Zero) specifies 
a repeated operation of a string primitive. The 
REP prefix causes the hardware to automat- 
ically repeat the associated string primitive 
until CX=0. This form of iteration allows the 



CPU to process strings much faster than 
would be possible with a regular software 
loop. 

When the REP prefix accompanies a MOVS 
instruction, it operates as a memory-to- 
memory block transfer. To set up for this 
operation, the program must initialize CX and 
the register pairs DS:SI and ES:DI. CX 
specifies the number of bytes or words in the 
block. 

If DF=0, the program must point DS:SI to 
the first element of the source string and point 
ES:DI to the destination address for the first 
element. If DF=1, the program must point 
these two register pairs to the last element of 
the source string and to the destination 
address for the last element, respectively. 

Example: REP MOVSW 

The processor checks the value in 
CX for zero. If this value is not 
zero, the processor moves a word 
from the location pointed to by 
DS:SI to the location pointed to 
by ES:DI and increments SI and 
DI by two (if DF=0). Next, the 
processor decrements CX by one 
and returns to the beginning of 
the repeat cycle to check CX 
again. After CX decrements to 
zero, the processor executes the 
instruction that follows. 

MOVS (Move String) moves the string 
character pointed to by the combination of DS 
and SI to the location pointed to by the 
combination of ES and DI. This is the only 
memory-to-memory transfer supported by the 
instruction set of the base architecture. 
MOVSB operates on byte elements. The 
destination segment register cannot be 
overridden by a segment override prefix while 
the source segment register can be 
overridden. 
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Example: MOVSW 

Moves the contents of the 
memory byte pointed to by DS:SI 
to the location pointed to by 
ES:DI. 

3.7.2.2 OTHER STRING OPERATIONS 

CMPS (Compare String) subtracts the desti- 
nation string element (ES:DI) from the source 
string element (DS:SI) and updates the flags 
AF, SF, PF, CF and OF. If the string 
elements are equal, ZF= 1; otherwise, ZF=0. 
If DF = 0, the processor increments the 
memory pointers (SI and DI) for the two 
strings. The segment register used for the 
source address can be changed with a segment 
override prefix while the destination segment 
register cannot be overridden. 

Example: CMPSB 

Compares the source and desti- 
nation string elements with each 
other and returns the result of the 
comparison to ZF. 

SCAS (Scan String) subtracts the destination 
string element at ES:DI from AX or AL and 
updates the flags AF, SF, ZF, PF, CF and 
OF. If the values are equal, ZF=1; other- 
wise, ZF = 0. If DF=0, the processor incre- 
ments the memory pointer (DI) for the string. 
The segment register used for the source 
address can be changed with a segment 
override prefix while the destination segment 
register cannot be overridden. 

Example: SCASW 

Compares the value in AX with 
the destination string element. 

REPE/REPZ (Repeat While CX Equal/Zero) 
and REPNE/REPNZ (Repeat While CX Not 
Equal/Not Zero) are the prefixes that are 
used exclusively with the SCAS (Scan 
String) and CMPS (Compare String) 
primitives. 



The difference between these two types of 
prefix bytes is that REPE/REPZ terminates 
when ZF=0 and REPNE/REPNZ termi- 
nates when ZF=1. ZF does not require 
initialization before execution of a repeated 
string instruction. 

When these prefixes modify either the SCAS 
or CMPS primitives, the processor compares 
the value of the current string element with 
the value in AX for word elements or with 
the value in AL for byte elements. The 
resulting state of ZF can then limit the 
operation of the repeated operation as well as 
a zero value in CX. 

Example: REPE SCASB 

Causes the processor to scan the 
string pointed to by ES:DI until 
it encounters a match with the 
byte value in AL or until CX 
decrements to zero. 

LODS (Load String) places the source string 
element at DS:SI into AX for word strings or 
into AL for byte strings. 

Example: LODSW 



Loads AX with the value pointed 
to by DS:SI. 



3.8 ADDRESS MANIPULATION 
INSTRUCTIONS 

The set of address manipulation instructions 
provide a way to perform address calcula- 
tions or to move to a new data segment or 
extra segment. 

LEA (Load Effective Address) transfers the 
offset of the source operand (rather than its 
value) to the destination operand. The source 
operand must be a memory operand, and the 
destination operand must be a 16-bit general 
register (AX, DX, BX, CX, BP, SP, SI, 
or DI). 
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LEA does not affect any flags. This instruc- 
tion is useful for initializing the registers 
before the execution of the string primitives 
or the XLAT instruction. 

Example: LEA BX EBCDIC_TABLE 

Causes the processor to place 
the address of the starting 
location of the table labeled 
EBCDIC_TABLE into BX. 

LDS (Load Pointer Using DS) transfers a 
32-bit pointer variable from the source 
operand to DS and the destination register. 
The source operand must be a memory 
operand, and the destination operand must be 
a 16-bit general register (AX, DX, BX, CX, 
BP, SP, SI or DI). DS receives the high-order 
segment word of the pointer. The destination 
register receives the low-order word, which 
points to a specific location within the 
segment. 

Example: LDS SI, STRING_X 

Loads DS with the word identi- 
fying the segment pointed to by 
STRINGS, and loads the offset 
of STRINGS into SI. Specify- 
ing SI as the destination operand 
is a convenient way to prepare for 
a string operation on a source 
string that is not in the current 
data segment. 

LES (Load Pointer Using ES) operates 
identically to LDS except that ES receives the 
offset word rather than DS. 

Example: LES DI, DESTINATIONS 

Loads ES with the word identi- 
fying the segment pointed to by 
DESTINATIONS, and loads 
the offset of DESTINATIONS 
into DI. This instruction provides 



a convenient way to select a 
destination for a string operation 
if the desired location is not in the 
current extra segment. 

3.9 FLAG CONTROL INSTRUCTIONS 

The flag control instructions provide a method 
of changing the state of bits in the flag 
register. 

3.9.1 Carry Flag Control Instructions 

The carry flag instructions are useful in 
conjunction with rotate-with-carry instruc- 
tions RCL and RCR. They can initialize the 
carry flag, CF, to a known state before 
execution of a rotate that moves the carry bit 
into one end of the rotated operand. 

STC (Set Carry Flag) sets the carry flag (CF) 
tol. 

Example: STC 

CLC (Clear Carry Flag) zeros the carry flag 
(CF). 

Example: CLC 

CMC (Complement Carry Flag) reverses the 
current status of the carry flag (CF). 

Example: CMC 

3.9.2 Direction Flag Control Instructions 

The direction flag control instructions are 
specifically included to set or clear the direc- 
tion flag, DF, which controls the left-to-right 
or right-to-left direction of string processing. 
IF DF=0, the processor automatically incre- 
ments the string memory pointers, SI and DI, 
after each execution of a string primitive. If 
DF=1, the processor decrements these 
pointer values. The initial state of DF is 0. 
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CLD (Clear Direction Flag) zeros DF, causing 
the string instructions to auto-increment SI 
and/or DI. CLD does not affect any other 
flags. 

Example: CLD 

STD (Set Direction Flag) sets DF to 1, 
causing the string instructions to auto-decre- 
ment SI and/or DI. STD does not affect any 
other flags. 



3.9.3 Flag Transfer Instructions 

Though specific instructions exist to alter CF 
and DF, there is no direct method of altering 
the other flags. The flag transfer instructions 
allow a program to alter the other flag bits 
with the bit manipulation instructions after 
transferring these flags to the stack or the AH 
register. 

The PUSHF and POPF instructions are also 
useful for preserving the state of the flag 
register before executing a procedure. 

LAHF (Load AH from Flags) copies SF, ZF, 
AF, PF, and CF to AH bits 7, 6, 4, 2, and 0, 
respectively (see figure 3-12). The contents of 
the remaining bits (5, 3, and 1) are undefined. 
The flags remain unaffected. This instruction 
can assist in converting 8080/8085 assembly 
language programs to run on the base archi- 
tecture of the iAPX 86, 88, 186, 
and 286. 

Example: LAHF 

SAHF (Store AH into Flags) transfers bits 7, 
6, 4, 2, and from AH into SF, ZF, AF, PF, 
and CF, respectively (see figure 3-12). This 
instruction also provides 8080/8085 compat- 
ibility with the iAPX 86, 88, 186, and 286. 

Example: SAHF 
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REGISTER AH 



LAHF loads five flags from the flag register Into register AH. SAHF 
stores these same five flags from AH Into the flag register. The 
bit position of each flag Is the same In AH as It Is In the flag 
register. The remaining bits are Indeterminate. 



Figure 3-12. LAHF and SAHF 

PUSHF (Push Flags) decrements SP by two 
and then transfers all flags to the word at the 
top of stack pointed to by SP (see figure 
3-13). The flags remain unaffected. This 
instruction enables a procedure to save the 
state of the flag register for later use. 

Example: PUSHF 

POPF (Pop Flags) transfers specific bits from 
the word at the top of stack into the low-order 
byte of the flag register (see figure 3-13). The 
processor then increments SP by two. 

Note that an application program in the 
protected virtual address mode may not alter 
IOPL (the I/O privilege level flag) unless the 
program is executing at privilege level 0. A 
program may alter IF (the interrupt flag) only 
when executing at a level that is at least as 
privileged as IOPL. 

Procedures may use this instruction to restore 
the flag status from a previous value. 

Example: POPF 

3.10 BINARY-CODED DECIMAL 

ARITHMETIC INSTRUCTIONS 

These instructions adjust the results of a 
previous arithmetic operation to produce a 
valid packed or unpacked decimal result. 
These instructions operate only on AL or AH 
registers. 
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PUSHF decrements SP by 2 bytes (1 word) and copies the contents of the flag register to the top of stack. POPF loads the flag register 
with the contents of the last word pushed onto the stack. The bit position of each flag Is the same in the stack word as It is in the flag 
register. Only programs executing at the highest privilege level (level 0) may alter the 2-bit IOPL flag. Only programs executing at a level at 
least as privileged as that indicated by IOPL may alter IF. 



Figure 3-13. PUSHF and POPF 



3.10.1 Packed BCD Adjustment 
Instructions 

DAA (Decimal Adjust) corrects the result of 
adding two valid packed decimal operands in 
AL. DAA must always follow the addition of 
two pairs of packed decimal numbers (one 
digit in each nibble) to obtain a pair of valid 
packed decimal digits as results. The carry 
flag will be set if carry was needed. 



A AS (ASCII Adjust for Subtraction) changes 
the contents of register AL to a valid 
unpacked decimal number, and zeros the top 
4 bits. AAS must always follow the subtrac- 
tion of one unpacked decimal operand from 
another in AL. The carry flag will be set and 
AH decremented if a borrow was necessary. 

Example: AAS 



Example: DAA 

DAS (Decimal Adjust for Subtraction) 
corrects the result of subtracting two valid 
packed decimal operands in AL. DAS must 
always follow the subtraction of one pair of 
packed decimal numbers (one digit in each 
nibble) from another to obtain a pair of valid 
packed decimal digits as results. The carry 
flag will be set if a borrow was needed. 

Example: DAS 

3.10.2 Unpacked BCD Adjustment 
Instructions 

AAA (ASCII Adjust for Addition) changes 
the contents of register AL to a valid 
unpacked decimal number, and zeros the top 
4 bits. AAA must always follow the addition 
of two unpacked decimal operands in AL. The 
carry flag will be set and AH will be incre- 
mented if a carry was necessary. 



AAM (ASCII Adjust for Multiplication) 
corrects the result of a multiplication of two 
valid unpacked decimal numbers. AAM must 
always follow the multiplication of two 
decimal numbers to produce a valid decimal 
result. The high order digit will be left in AH, 
the low order digit in AL. 

Example: AAM 



AAD (ASCII Adjust for Division) modifies 
the numerator in AH and AL to prepare for 
the division of two valid unpacked decimal 
operands so that the quotient produced by the 
division will be a valid unpacked decimal 
number. AH should contain the high-order 
digit and AL the low-order digit. This 
instruction will adjust the value and leave it 
in AL. AH will contain 0. 



Example: AAA 



Example: AAD 
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3.11 TRUSTED INSTRUCTIONS 

When operating in Protected Mode, the iAPX 
286 processor restricts the execution of trusted 
instructions according to the CPL and the 
current value of IOPL, the 2-bit I/O privi- 
lege flag. Only a program operating at the 
highest privilege level (level 0) may alter the 
value of IOPL. A program may execute 
trusted instructions only when executing at a 
level that is at least as privileged as that 
specified by IOPL. 

Trusted instructions control I/O operations, 
interprocessor communications in a multipro- 
cessor system, interrupt enabling, and the 
HLT instruction. 

These protection considerations do not apply 
in the real address mode. 



3.11.1 Trusted and Privileged Restrictions 
on POPF and IRET 

POPF (POP Flags) and IRET (Interrupt 
Return) are not affected by IOPL unless they 
attempt to alter IF (flag register bit 9). To 
change IF, POPF must be part of a program 
that is executing at a privilege level greater 
than or equal to that specified by IOPL. Any 
attempt to change IF when CPL ± will be 
ignored. To change the IOPL field, CPL must 
be zero. 



IF=1, the processor responds to all inter- 
rupts. An interrupt service routine might use 
these instructions to avoid further interrup- 
tion while it processes a previous interrupt 
request. As with the other flag bits, the 
processor clears IF during initialization. These 
instructions may be executed only if CPL < 
IOPL. A protection exception will occur if 
they are executed when CPL > IOPL. 

Example: STI 

Sets IF=1, which enables the 
processing of maskable external 
interrupts. 

Example: CLI 

Sets IF=0 to disable maskable 
interrupt processing. 

HLT (Halt) causes the processor to suspend 
processing operations pending an interrupt or 
a system reset. This trusted instruction 
provides an alternative to an endless software 
loop in situations where a program must wait 
for an interrupt. The return address saved 
after the interrupt will point to the instruc- 
tion immediately following HLT. This 
instruction may be executed only when 
CPL = 0. 



Example: HLT 



3.11.2 Machine State Instructions 

These trusted instructions affect the machine 
state control interrupt response, the processor 
halt state, and the bus LOCK signal that 
regulates memory access in multiprocessor 
systems. 

CLI (Clear Interrupt-Enable Flag) and STI 
(Set Interrupt-Enable Flag) alter bit 9 in the 
flag register. When IF = 0, the processor 
responds only to internal interrupts and to 
non-maskable external interrupts. When 



LOCK (Assert Bus Lock) is a I -byte prefix 
code that causes the processor to assert the 
bus LOCK signal during execution of the 
instruction that follows. LOCK does not affect 
any flags. LOCK may be used only when CPL 
< IOPL. A protection exception will occur if 
LOCK is used when CPL > IOPL. 

3.11.3 Input and Output Instructions 

These trusted instructions provide access to 
the processor's I/O ports to transfer data to 
and from peripheral devices. In the protected 
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mode, these instructions may be executed only 
when CPL < IOPL. 

IN (Input from Port) transfers a byte or a 
word from an input port to AL or AX. If a 
program specifies AL with the IN instruc- 
tion, the processor transfers 8 bits from the 
selected port to AL. Alternately, if a program 
specifies AX with the IN instruction, the 
processor transfers 16 bits from the port 
to AX. 

The program can specify the number of the 
port in two ways. Using an immediate byte 
constant, the program can specify 256 8-bit 
ports numbered through 255 or 128 16-bit 
ports numbered 0,2,4,. ..,252,254. Using the 
current value contained in DX, the program 
can specify 8-bit ports numbered through 
65,535, or 16-bit ports using even-numbered 
ports in the same range. 

Example: IN AL, 

BYTE_PORT_NUMBER 

Transfers 8 bits to AL 
from the port identified 
by the immediate constant 
BYTE_PORT_NUMBER. 

OUT (Output to Port) transfers a byte or a 
word to an output port from AL or AX. The 
program can specify the number of the port 
using the same methods of the IN instruc- 
tion. 

Example: OUT AX, DX 

Transfers 1 6 bits from AX to the 
port identified by the 16-bit 
number contained in DX. 

INS and OUTS (Input String and Output 
String) cause block input or output opera- 
tions using a Repeat prefix. See Chapter 4 for 
more information on INS and OUTS. 



3.12 PROCESSOR EXTENSION 
INSTRUCTIONS 

Processor Extension provides an extension to 
the instruction set of the base architecture 
(e.g., 80287). The NPX extends the instruc- 
tion set of the CPU-based architecture to 
support high-precision integer and floating- 
point calculations. This extended instruction 
set includes arithmetic, comparison, 
transcendental, and data transfer instruc- 
tions. The NPX also contains a set of useful 
constants to enhance the speed of numeric 
calculations. 

A program contains instructions for the NPX 
in line with the instructions for the CPU. The 
system executes these instructions in the same 
order as they appear in the instruction stream. 
The NPX operates concurrently with the 
CPU to provide maximum throughput for 
numeric calculations. 

The software emulation of the NPX is trans- 
parent to application software but requires 
more time for execution. 

3.12.1 Processor Extension 

Synchronization Instructions 

Escape and wait instructions allow a proces- 
sor extension such as the 80287 NPX to 
obtain instructions and data from the system 
bus and to wait for the NPX to return a result. 

ESC (Escape) identifies floating point 
numeric instructions and allows the iAPX 286 
to send the opcode to the NPX or to transfer 
a memory operand to the NPX. The 80287 
NPX uses the Escape instructions to perform 
high-performance, high-precision floating 
point arithmetic that conforms to the IEEE 
floating point standard. 

Example: ESC 6, ARRAY [SI] 

The CPU sends the escape opcode 
6 and the location of the array 
pointed to by SI to the NPX. 
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WAIT (Wait) suspends program execution 
until the iAPX 286 CPU detects a signal on 
the BUSY pin. In an iAPX 286/20 configu- 
ration that includes a numeric processor 
extension, the NPX activates the TEST pin 
to signal that it has completed its processing 
task and that the CPU may obtain the results. 

Example: WAIT 



3.12.2 Numeric Data Processor 
Instructions 

This section describes the categories of 
instructions available with Numeric Data 
Processor systems that include a Numeric 
Processor Extension or a software emulation 
of this processor extension. Refer to the 80287 
data sheet for more information. 

3.12.2.1 ARITHMETIC INSTRUCTIONS 

The extended instruction set includes not only 
the four arithmetic operations (add, subtract, 
multiply, and divide), but also subtract- 
reversed and divide-reversed instructions. The 
arithmetic functions include square root, 
modulus, absolute value, integer part, change 
sign, scale exponent, and extract exponent 
instructions. 



3.12.2.2 COMPARISON INSTRUCTIONS 

The comparison operations are the compare, 
examine, and test instructions. Special forms 
of the compare instruction can optimize 
algorithms by allowing comparisons of binary 
integers with real numbers in memory. 

3.12.2.3 TRANSCENDENTAL INSTRUCTIONS 

The instructions in this group perform the 
otherwise time-consuming calculations for all 
common trigonometric, inverse trigonome- 
tric, hyperbolic, inverse hyperbolic, logarith- 
mic, and exponential functions. The 
transcendental instructions include tangent, 
arctangent, 2 x — 1, Y . log 2 X, and Y. log 2 
(X+l). 

3.12.2.4 DATA TRANSFER INSTRUCTIONS 

The data transfer instructions move operands 
among the registers and between a register 
and memory. This group includes the load, 
store, and exchange instructions. 

3.12.2.5 CONSTANT INSTRUCTIONS 

Each of the constant instructions loads a 
commonly used constant into an NPX regis- 
ter. The values have a real precision of 64 bits 
and are accurate to approximately 1 9 decimal 
places. The constants loaded by these instruc- 
tions include 0, 1, Pi, log e 10, log 2 e, log 10 2, 
and log 2 e . 
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CHAPTER 4 
EXTENDED INSTRUCTION SET 



The instructions described in this chapter 
extend the capabilities of the base architec- 
ture instruction set described in Chapter 3. 
These extensions consist of new instructions 
and variations of some instructions that are 
not strictly part of the base architecture (in 
other words, not included in the iAPX 86, 88). 
These instructions are also available in the 
iAPX 186, 188. The instruction variations, 
described in Chapter 3, include the immedi- 
ate forms of the PUSH and MUL instruc- 
tions (PUSHA, POPA) and the privilege level 
restrictions on POPF. 

New instructions described in this chapter 
include the string input and output instruc- 
tions (INS and OUTS), the ENTER proce- 
dure and LEAVE procedure instructions, and 
the check index BOUND instruction. 

4.1 BLOCK I/O INSTRUCTIONS 

REP, the Repeat prefix, modifies INS and 
OUTS (the string I/O instructions) to provide 
a means of transferring blocks of data 
between an I/O port and Memory. These 
block I/O instructions are string primitives. 
They simplify programming and increase the 
speed of data transfer by eliminating the need 
to use a separate LOOP instruction or an 
intermediate register to hold the data. 

INS and OUTS are trusted instructions. To 
use trusted instructions, a program must 
execute at a privilege level at least as privi- 
leged as that specified by the 2-bit IOPL flag. 
Any attempt by a less-privileged program to 
use a trusted instruction results in a protec- 
tion exception. See Chapter 7 for information 
on protection concepts. 

One of two possible opcodes represents each 
string primitive depending on whether it 



operates on byte strings or word strings. After 
each transfer, the memory address in SI or 
DI is updated by 1 for byte values and by 2 
for word values. The value in the DF field 
determines if SI or DI is to be auto incre- 
mented (DF = 0) or auto decremented 
(DF=1). 

INS and OUTS use DX to specify I/O ports 
numbered through 65,535 or 16-bit ports 
using only even port addresses in the same 
range. 

INS (Input String from Port) transfers a byte 
or a word string element from an input port 
to memory. If a program specifies INSB, the 
processor transfers 8 bits from the selected 
port to the memory location indicated by 
ES:DI. Alternately, if a program specifies 
INSW, the processor transfers 16 bits from 
the port to the memory location indicated by 
ES:DI. The destination segment register 
cannot be overridden. 

Combined with the REP prefix, INS moves a 
block of information from an input port to a 
series of consecutive memory locations. 

Example: REP INSB 

The processor repeatedly trans- 
fers 8 bits to the memory location 
indicated by ES:DI from the port 
selected by the 16-bit port number 
contained in DX. Following each 
byte transfer, the CPU decre- 
ments CX. The instruction termi- 
nates the block transfer when 
CX=0. After decrementing CX, 
the processor increments DI by 
one if DF=0. It decrements DI 
by one if DF=1. 
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OUTS (Output String to Port) transfers a 
byte or a word string element to an output 
port from memory. Combined with the REP 
prefix, OUTS moves a block of information 
from a series of consecutive memory locations 
indicated by DS:SI to an output port. 

Example: REP OUTS WSTRING 

Assuming that the program 
declares WSTRING to be a 
word-length string element, the 
assembler uses the 16-bit form of 
the OUTS instruction to create 
the object code for the program. 
The processor repeatedly trans- 
fers words from the memory 
locations indicated by DI to the 
output port selected by the 1 6-bit 
port number in DX. 

Following each word transfer, the 
CPU decrements CX. The 
instruction terminates the block 
transfer when CX = 0. After 
decrementing CX, the processor 
increments SI by two to point to 
the next word in memory if 
DF=0, it decrements SI by two 
ifDF=l. 

4.2 HIGH-LEVEL INSTRUCTIONS 

The instructions in this section provide 
machine-language functions normally found 
only in high-level languages. These instruc- 
tions include ENTER and LEAVE, which 
simplify the programming of procedures, and 
BOUND, which provides a simple method of 
testing an index against its predefined range. 

ENTER (Enter Procedure) creates the stack 
frame required by most block-structured high- 
level languages. A LEAVE instruction at the 
end of a procedure complements an ENTER 
at the beginning of the procedure to simplify 
stack management and to control access to 
variables for nested procedures. 



The ENTER instruction includes two param- 
eters. The first parameter specifies the 
number of bytes of dynamic storage to be 
allocated on the stack for the routine being 
entered. The second parameter corresponds to 
the lexical nesting level of the routine. (Note 
that the lexical level has no relationship to 
either the protection privilege levels or to the 
I/O privilege level.) 

The specified lexical level determines how 
many sets of stack frame pointers the CPU 
copies into the new stack frame from the 
preceding frame. This list of stack frame 
pointers is sometimes called the "display." 
The first word of the display is a pointer to 
the last stack frame. This pointer enables a 
LEAVE instruction to reverse the action of 
the previous ENTER instruction by effec- 
tively discarding the last stack frame. 

After ENTER creates the new display for a 
procedure, it allocates the dynamic storage 
space for that procedure by decrementing SP 
by the number of bytes specified in the first 
parameter. This new value of SP serves as a 
base for all PUSH and POP operations within 
that procedure. 

To enable a procedure to address its display, 
ENTER leaves BP pointing to the beginning 
of the new stack frame. Data manipulation 
instructions that specify BP as a base register 
implicitly address locations within the stack 
segment instead of the data segment. Two 
forms of the ENTER instruction exist: nested 
and non-nested. If the lexical level is 0, the 
non-nested form is used. Since the second 
operand is 0, ENTER pushes BP, copies SP 
to BP and then subtracts the first operand 
from SP. The nested form of ENTER occurs 
when the second parameter (lexical level) is 
not 0. Figure 4-1 gives the formal definition 
of ENTER. 
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The Formal Definition Of The ENTER Instruction For All Cases Is 
Given By The Following Listing. LEVEL Denotes The Value Of 
The Second Operand. 

Push BP 

Set a temporary value FRAME_PTR := SP 

If LEVEL > then 

Repeat (LEVEL -1) times: 
BP: = BP -2 
Push the word pointed to by BP 

End repeat 

Push FRAME.PTR 
End If 

BP := FRAME_PTR 
SP := SP - first operand. 



Figure 4-1. Formal Definition of the ENTER 
Instruction 

The main procedure (with other procedures 
nested within) operates at the highest lexical 
level, level 1. The first procedure it calls 
operates at the next deeper lexical level, level 
2. A level 2 procedure can access the varia- 
bles of the main program which are at fixed 
locations specified by the compiler. In the case 
of level 1, ENTER allocates only the 
requested dynamic storage on the stack 
because there is no previous display to copy. 

A program operating at a higher lexical level 
calling a program at a lower lexical level 
requires that the called procedure should have 
access to the variables of the calling program. 
ENTER provides this access through a 
display that provides addressability to the 
calling program's stack frame. 

A procedure calling another procedure at the 
same lexical level implies that they are paral- 
lel procedures and that the called procedure 
should not have access to the variables of the 
calling procedure. In this case, ENTER copies 
only that portion of the display from the 
calling procedure which refers to previously 
nested procedures operating at higher lexical 
levels. The new stack frame does not include 
the pointer for addressing the calling proce- 
dure's stack frame. 

ENTER treats a reentrant procedure as a 
procedure calling another procedure at the 



same lexical level. In this case, each succeed- 
ing iteration of the reentrant procedure can 
address only its own variables and the varia- 
bles of the calling procedures at higher lexical 
levels. A reentrant procedure can always 
address its own variables; it does not require 
pointers to the stack frames of previous 
iterations. 

By copying only the stack frame pointers of 
procedures at higher lexical levels, ENTER 
makes sure that procedures access only those 
variables of higher lexical levels, not those at 
parallel lexical levels (see figure 4-2). Figures 
4-2a through 4-2d demonstrate the actions of 
the ENTER instruction if the modules shown 
in figure 4-1 were to call one another in 
alphabetic order. 

Example: ENTER 2048,3 

Allocates 2048 bytes of dynamic 
storage on the stack and sets up 
pointers to two previous stack 
frames in the stack frame that 
ENTER creates for this 
procedure. 

Block-structured high-level languages can use 
the lexical levels defined by ENTER to 
control access to the variables of previously 
nested procedures. For example, if 
PROCEDURE A calls PROCEDURE B 
which, in turn, calls PROCEDURE C, then 
PROCEDURE C will have access to the 
variables of MAIN and PROCEDURE A, 
but not PROCEDURE B because they 
operate at the same lexical level. Following is 
the complete definition of the variable access 
for figure 4-2. 

1. MAIN PROGRAM has variables at 
fixed locations. 

2. PROCEDURE A can access only the 
fixed variables of MAIN. 
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Figure 4-2. Variable Access in Nested Procedures 

3. PROCEDURE B can access only the 
variables of PROCEDURE A and 
MAIN. PROCEDURE B cannot access 
the variables of PROCEDURE C or 
PROCEDURE D. 

4. PROCEDURE C can access only the 
variables of PROCEDURE A and 
MAIN. PROCEDURE C cannot access 
the variables of PROCEDURE B or 
PROCEDURE D. 

5. PROCEDURE D can access the 
variables of PROCEDURE C, 
PROCEDURE A, and MAIN. 
PROCEDURE D cannot access the 
variables of PROCEDURE B. 



ENTER at the beginning of the MAIN 
PROGRAM creates dynamic storage space 
for MAIN but copies no pointers. The first 
and only word in the display points to itself 
because there is no previous value for LEAVE 
to return to BP. See figure 4-2a. 

After MAIN calls PROCEDURE A, 
ENTER creates a new display for PROCE- 
DURE A with the first word pointing to the 
previous value of BP (BPM for LEAVE to 
return to the MAIN stack frame) and the 
second word pointing to the current value of 
BP. Procedure A can access variables in 
MAIN since MAIN is at level 1. Therefore 
the base for the dynamic storage for MAIN 
is at [BP — 2]. All dynamic variables for 
MAIN will be at a fixed offset from this 
value. See figure 4-2b. 

After PROCEDURE A calls PROCEDURE 

B, ENTER creates a new display for 
PROCEDURE B with the first word point- 
ing to the previous value of BP, the second 
word pointing to the value of BP for MAIN, 
and the third word pointing to the value of 
BP for A and the last word pointing to the 
current BP. B can access variables in A and 
MAIN by fetching from the display the base 
addresses of the respective dynamic storage 
areas. See figure 4-2c. 

After PROCEDURE B calls PROCEDURE 

C, ENTER creates a new display for 
PROCEDURE C with the first word point- 
ing to the previous value of BP, the second 
word pointing to the value of BP for MAIN, 
and the third word pointing to the BP value 
for A and the third word pointing to the 
current value of BP. Because PROCEDURE 
B and PROCEDURE C have the same lexical 
level, PROCEDURE C is not allowed access 
to variables in B and therefore does not 
receive a pointer to the beginning of 
PROCEDURE B's stack frame. See 
figure 4-2d. 
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Figure 4-2a. Stack Frame for MAIN at Level 1 
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Figure 4-2b. Stack Frame for Procedure A 



Figure 4-2c Stack Frame for Procedure B at 
Level 3 Called from A 

LEAVE (Leave Procedure) reverses the action 
of the previous ENTER instruction. The 
LEAVE instruction does not include any 
operands. 

Example: LEAVE 

First, LEAVE copies BP to SP to 
release all stack space allocated to 
the procedure by the most recent 
ENTER instruction. Next, 
LEAVE pops the old value of BP 
from the stack. A subsequent 
RET instruction can then remove 
any arguments that were pushed 
on the stack by the calling 
program for use by the called 
procedure. 



4-5 



EXTENDED INSTRUCTION SET 











OLDBP 


BPM 






BPM 




BPM 


BPA 






BPA 


] 






BPM 


V DISPLAY 
1 DYNAMIC 






BPA 


BPB 










J STORAGE 











Figure 4-2d. Stack Frame for Procedure C at 
Level 3 Called from B 

BOUND (Detect Value Out of Range) verifies 
that the signed value contained in the speci- 
fied register lies within specified limits. An 
interrupt (INT 5) occurs if the value 
contained in the register is less than the lower 
bound or greater than the upper bound. 



The BOUND instruction includes two 
operands. The first operand specifies the 
register being tested. The second operand 
contains the effective relative address of the 
two signed BOUND limit values. The 
BOUND instruction assumes that it can 
obtain the upper limit from the memory word 
that immediately follows the lower limit. 
These limit values cannot be register 
operands; if they are, an invalid opcode 
exception occurs. 

BOUND is useful for checking array bounds 
before using a new index value to access an 
element within the array. BOUND provides 
a simple way to check the value of an index 
register before the program overwrites infor- 
mation in a location beyond the limit of the 
array. 

The two- word block of memory that specifies 
the lower and upper limits of an array might 
typically reside just before the array itself. 
This makes the array bounds accessible at a 
constant offset of —4 from the beginning of 
the array. Because the address of the array 
will already be present in a register, this 
practice avoids extra calculations to obtain the 
effective address of the array bounds. 

Example: BOUND BX,ARRAY-4 

Compares the value in BX with 
the lower limit at address 
ARRAY— 4 and the upper limit 
at address ARRAY- 2. If the 
signed value in BX is less than the 
lower bound or greater than the 
upper bound, the interrupt for this 
instruction (INT 5) occurs. 
Otherwise, this instruction has no 
effect. 



4-6 



Real Address Mode g 



CHAPTER 5 
REAL ADDRESS MODE 



The iAPX 286 can be operated in either of 
two modes according to the status of the 
Protection Enabled bit of the MSW status 
register. In contrast to the "modes" and 
"mode bits" of some processors, however, the 
iAPX 286 modes do not represent a radical 
transition between conflicting architectures. 
Instead, the setting of the Protection Enabled 
bit simply determines whether certain 
advanced features, in addition to the baseline 
architecture of the iAPX 286, are to be 
made available to system designers and 
programmers. 

If the Protection Enabled (PE) bit is set by 
the programmer, the processor changes into 
Protected Virtual Address Mode. In this 
mode of operation, memory addressing is 
performed in terms of virtual addresses, with 
on-chip mapping mechanisms performing the 
virtual-to-physical translation. Only in this 
mode can the system designer make use of the 
advanced architectural features of the iAPX 
286: virtual memory support, system-wide 
protection, and built-in multitasking mecha- 
nisms are among the new features provided in 
this mode of operation. Refer to Part II of 
this manual (Chapters 6 through 11) for 
details on Protected Mode operation. 

Initially, upon system reset, the processor 
starts up in Real Address Mode. In this mode 
of operation, all memory addressing is 
performed in terms of real physical addresses. 
In effect, the architecture of the iAPX 286 in 
this mode is identical to that of the 8086 and 
other processors in the iAPX 86 family. The 
principal features of this baseline architec- 
ture have already been discussed throughout 
Part I (Chapters 2 through 4) of this manual. 
This chapter discusses certain additional 
topics — addressing, interrupt handling, and 



system initialization — that complete the 
system programmer's view of the iAPX 286 
in Real Address Mode. 

5.1 ADDRESSING AND SEGMENTATION 

Like other processors in the iAPX 86 family, 
the iAPX 286 provides a one-megabyte 
memory space (2 20 bytes) when operated in 
Real Address Mode. Physical addresses are 
the 20-bit values that uniquely identify each 
byte location in this address space. Physical 
addresses, therefore, may range from 
through FFFFFH. 

An address is specified by a 32-bit pointer 
containing two components: (1) a 16-bit 
effective address offset that determines the 
displacement, in bytes, of a particular location 
within a segment; and (2) a 16-bit segment 
selector component that determines the start- 
ing address of the segment. Both components 
of an address may be referenced explicitly by 
an instruction (such as JMP, LES, LDS, or 
CALL); more often, however, the segment 
selector is simply the contents of a segment 
register. 

The interpretation of the first component, the 
effective address offset, is straight-forward. 
Segments are at most 64K (2 16 ) bytes in 
length, so an unsigned 16-bit quantity is 
sufficient to address any arbitrary byte 
location with a segment. The lowest-addressed 
byte within a segment has an offset of 0, and 
the highest-addressed byte has an offset of 
FFFFH. Data operands must be completely 
contained within a segment and must be 
contiguous. (These rules apply in both modes.) 

A segment selector is the second component 
of a logical address. This 16-bit quantity 
specifies the starting address of a segment 
within a physical address space of 2 20 bytes. 
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Whenever the iAPX 286 accesses memory in 
Real Address Mode, it generates a 20-bit 
physical address from a segment selector and 
offset value. The segment selector value is left- 
shifted four bit positions to form the segment 
base address. The offset is extended with 4 
high order zeroes and added to the base to 
form the physical address (see figure 5-1.) 



Therefore, every segment is required to start 
at a byte address that is evenly divisible by 
16; thus, each segment is positioned at a 
20-bit physical address whose least signifi- 
cant four bits are zeroes. This arrangement 
allows the iAPX 286 to interpret a segment 



selector as the high-order 16 bits of a 20-bit 
segment base address. 

No limit or access checks are performed by 
the iAPX 286 in the Real Address Mode. All 
segments are readable, writable, executable, 
and have a limit of OFFFFH (65535 bytes). 
To save physical memory, you can use unused 
portions of a segment as another segment by 
overlapping the two (see figure 5-2). The Intel 
iAPX 86 software development tools support 
this feature via the segment override and 
group operators. However, programs that 
access segment B from segment A become 
incompatible in the protected virtual address 
mode. 



16 BIT SEGMENT SELECTOR 
A 



"T"T"T"T 



Figure 5-1a. Forming the Segment Base Address 
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Figure 5-1b. Forming the 20-Bit Physical Address in the Real Address Mode 
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Figure 5-2. Overlapping Segments to Save 
Physical Memory 



An interrupt vector is an unsigned integer in 
the range of 0-255; every interrupt is assigned 
such a vector. In some cases, the assignment 
is predetermined and fixed: for example, an 
external NMI interrupt is invariably associ- 
ated with vector 2, while an internal divide 
exception is always associated with vector 0. 
In most cases, however, the association of an 
interrupt and a vector is established dynami- 
cally. An external INTR interrupt, for 
example, supplies a vector in response to an 
interrupt acknowledge bus cycle, while the 
INT instruction supplies a vector incorpo- 
rated within the instruction itself. The vector 
is shifted two places left to form a byte 
address into the table (see 

figure 5-3). 



5.2 INTERRUPT HANDLING 

Program interrupts may be generated in either 
of two distinct ways. An internal interrupt is 
caused directly by the currently executing 
program. The execution of a particular 
instruction results in the occurrence of an 
interrupt, whether intentionally (e.g., an INT 
instruction) or as an unanticipated exception 
(e.g., invalid opcode). On the other hand, an 
external interrupt occurs asynchronously as 
the result of an event external to the proces- 
sor, and bears no necessary relationship with 
the currently executing program. The INTR 
and NMI pins of the iAPX 286 provide the 
means by which external hardware signals the 
occurrence of such events. 

5.2.1 Interrupt Vector Table 

Whatever its origin, whether internal or 
external, an interrupt demands immediate 
attention from an associated service routine. 
Control must be transferred, at least for the 
moment, from the currently executing 
program to the appropriate interrupt service 
routine. By means of interrupt vectors, the 
iAPX 286 handles such control transfers 
uniformly for both kinds of interrupts. 



In any case, the iAPX 286 uses the interrupt 
vector as an index into a table in order to 
determine the address of the corresponding 
interrupt service routine. For Real Address 
Mode, this table is known as the Interrupt 
Vector Table. Its format is illustrated in 
figure 5-3. 

The Interrupt Vector Table consists of as 
many as 256 consecutive entries, each four 
bytes long. Each entry defines the address of 
a service routine to be associated with the 
correspondingly numbered interrupt vector 
code. Within each entry, an address is speci- 
fied by a full 32-bit pointer that consists of a 
1 6-bit offset and a 1 6-bit segment selector. 

In Real Address Mode, the interrupt table can 
be accessed directly at physical memory 
location through 1023. In the protected 
virtual address mode, however, the interrupt 
vector table has no fixed physical address and 
cannot be directly accessed. Therefore, Real 
Address mode programs that directly 
manipulate the interrupt vector table will not 
work in the protected virtual address mode 
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Figure 5-3. Interrupt Vector Table for Real Address Mode 



5.2.1.1 INTERRUPT PRIORITIES 

When simultaneous interrupt requests occur, 
they are processed in a fixed order as shown 
in table 5-1. Interrupt processing involves 
saving the flags, the return address, and 
setting CS:IP to point at the first instruction 
of the interrupt handler. If other interrupts 
remain enabled, they are processed before the 
first instruction of the current interrupt 
handler is executed. The last interrupt 
processed is therefore the first one serviced. 

5.2.2 Interrupt Procedures 

When an interrupt occurs in Real Address 
Mode, the iAPX 86 performs the following 
sequence of steps. First, the FLAGS register, 
as well as the old values of CS and IP, are 
pushed onto the stack (see figure 5-4). The 
IF and TF flag bits are cleared. The vector 
number is then used to read the address of 
the interrupt service routine from the inter- 
rupt table. Execution begins at this address. 



Table 5-1. Interrupt Processing Order 



Order 



Interrupt 



INT instruction or exception 

Single step 

NMI 

Processor extension segment overrun 

INTR 



A 



INCREASING 
ADDRESSES 



OLD FLAGS 



OLDCS 



OLD IP 



< SS:SP > 



Figure 5-4. Stack Structure After Interrupt 
(Real Address Mode) 
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Thus, when control is passed to an interrupt 
service routine, the return linkage is placed 
on the stack, interrupts are disabled, and 
single-step trace (if in effect) is turned off. 
The IRET instruction at the end of the inter- 
rupt service routine will reverse these steps 
before transferring control to the program 
that was interrupted. 

An interrupt service routine may affect regis- 
ters other than other IP, CS, and FLAGS. It 
is the responsibility of an interrupt routine to 
save additional context information before 
proceeding so that the state of the machine 
can be restored upon completion of the inter- 
rupt service routine (PUSHA and POPA 
instructions are intended for these opera- 
tions). Finally, execution of the IRET 
instruction pops the old IP, CS, and FLAGS 
from the stack and resumes the execution of 
the interrupted program. 

5.2.3 Reserved and Dedicated Interrupt 
Vectors 

In general, the system designer is free to use 
almost any interrupt vectors for any given 
purpose. Some of the lowest-numbered 
vectors, however, are reserved by Intel for 
dedicated functions; their use is specifically 
implied by certain types of exceptions. None 
of the first 32 vectors should be defined by 
the user; these vectors are either invoked by 
pre-defined exceptions or reserved by Intel for 
future expansion. Table 5-2 shows the 
dedicated and reserved vectors of the iAPX 
286 in Real Address Mode. 

The purpose and function of the dedicated 
interrupt vectors may be summarized as 
follows (the saved value of CS:IP will include 
all leading prefixes): 

• Divide error (Interrupt 0). This exception 
will occur if the quotient is too large or 
an attempt is made to divide by zero using 



either the DIV or IDIV instruction. The 
saved CS:IP points at the first byte of the 
failing instruction. DX and AX are 
unchanged. 

• Single-Step (Interrupt 1). This interrupt 
will occur after each instruction if the 
Trace Flag (TF) bit of the FLAGS regis- 
ter is set. Of course, TF is cleared upon 
entry to this or any other interrupt to 
prevent infinite recursion. The saved 
value of CS:IP will point to the next 
instruction. 

• Nonmaskable (Interrupt 2). This inter- 
rupt will occur upon receipt of an exter- 
nal signal on the NMI pin. Typically, the 
nonmaskable interrupt is used to imple- 
ment power-fail/auto-restart procedures. 
The saved value of CS:IP will point to the 
first byte of the interrupted instruction. 

• Breakpoint (Interrupt 3). Execution of 
the one-byte breakpoint instruction causes 
this interrupt to occur. This instruction is 
useful for the implementation of software 
debuggers since it requires only one code 
byte and can be substituted for any 
instruction opcode byte. The saved value 
of CS:IP will point to the next 
instruction. 

• INTO Detected Overflow (Interrupt 4). 
Execution of the INTO instruction will 
cause this interrupt to occur if the 
overflow bit (OF) of the FLAGS register 
is set. The saved value of CS:IP will point 
to the next instruction. 

• BOUND Range Exceeded (Interrupt 5). 
Execution of the BOUND instruction will 
cause this interrupt to occur if the speci- 
fied array index is found to be invalid 
with respect to the given array bounds. 
The saved value of CS:IP will point to the 
first byte of the BOUND instruction. 
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Table 5-2. Dedicated and Reserved Interrupt Vectors in Real Address Mode 


Function 


Interrupt 
Number 


Related 
Instructions 


Return Address 

Before Instruction 

Causing Exception? 


Divide error exception 





DIV, IDIV 


Yes 


Single step interrupt 


1 


All 


N/A 


NMI interrupt 


2 


All 


N/A 


Breakpoint interrupt 


3 


INT 


N/A 


INTO detected overflow exception 


4 


INTO 


No 


BOUND range exceeded exception 


5 


BOUND 


Yes 


Invalid opcode exception 


6 


Any undefined opcode 


Yes 


Processor extension not available 
exception 


7 


ESC or, WAIT with 


Yes 


Interrupt table limit too small 


8 


LIDT 


Yes 


Processor extension segment overrun 
interrupt 


9 


ESC 


Yes 


Segment overrun exception 


13 


All memory reference 
instructions 


Yes 


Reserved 


10-12,14,15 






Processor extension error interrupt 


16 


ESC or WAIT 


N/A 


Reserved 


17-31 






User defined 


32-255 







N/A = Not Applicable 



• Invalid Opcode (Interrupt 6). This 
exception will occur if execution of an 
invalid opcode is attempted. (In Real 
Address Mode, most of the Protected 
Virtual Address Mode instructions are 
classified as invalid and should not be 
used). This interrupt can also occur if the 
effective address given by certain 



instructions, notably BOUND, LDS, 
LES, and LIDT, specifies a register 
rather than a memory location. The saved 
value of CS:IP will point to the first byte 
of the invalid instruction or opcode. 
Processor Extension Not Available 
(Interrupt 7). Execution of the ESC 
instruction will cause this interrupt to 
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occur if the status bits of the MSW 
indicate that processor extension 
functions are to be emulated in software. 
Refer to section 3.10 for more details. 
The saved value of CS:IP will point to the 
first byte of the ESC or the WAIT 
instruction. 

• Interrupt Table Limit Too Small (Inter- 
rupt 8). This interrupt will occur if the 
limit of the interrupt vector table was 
changed from 3FFH by the LIDT 
instruction. The saved value of CS:IP will 
point to the first byte of the instruction 
that caused the interrupt or that was 
ready to execute before an external inter- 
rupt occurred. 

• Processor Extension Segment Overrun 
Interrupt (Interrupt 9). The interrupt will 
occur if a processor extension memory 
operand does not fit in a segment. The 
saved CS:IP will point at the first byte of 
the instruction that caused the interrupt. 

• Segment Overrun Exception (Interrupt 
13). This interrupt will occur if a memory 
operand does not fit in a segment. The 
saved CS:IP will point at the first byte of 
the instruction that caused the interrupt. 

• Processor Extension Error (Interrupt 16). 
This interrupt occurs after the numeric 
instruction that caused the error. It can 
only occur while executing a subsequent 
WAIT or ESC. The saved value of CS:IP 
will point to the first byte of the ESC or 
the WAIT instruction. The address of the 
failed numeric instruction is saved in the 
NPX. 

5.3 SYSTEM INITIALIZATION 

The iAPX 286 provides an orderly way to 
start or restart an executing system. Upon 
receipt of the RESET signal, certain proces- 
sor registers go into the determinate state 
shown in table 5-3. 



Table 5-3. Processor State After RESET 



Register 


Contents 


FLAGS 


0002 


MSW 


FFFO 


IP 


FFFO 


CS 


F000 


DS 


0000 


SS 


0000 


ES 


0000 



Since the CS register contains F000 (thus 
specifying a code segment starting at physi- 
cal address F0000) and the instruction pointer 
contains FFFO, the processor will execute its 
first instruction at physical address FFFF0H. 
The uppermost 1 6 bytes of physical memory 
are therefore reserved for initial startup logic. 
Ordinarily, this location contains an interseg- 
ment direct JMP instruction whose target is 
the actual beginning of a system initialization 
or restart program. 

Some of the steps normally performed by a 
system initialization routine are as follows: 

• Allocate a stack. 

• Load programs and data from secondary 
storage into memory. 

• Initialize external devices. 

• Enable interrupts (i.e., set the IF bit of 
the FLAGS register). Set any other 
desired FLAGS bit as well. 

• Set the appropriate MSW flags if a 
processor extension is present, or if 
processor extension functions are to be 
emulated by software. 

• Set other registers, as appropriate, to the 
desired initial values. 

• Execute. (Ordinarily, this last step is 
performed as an intersegment JMP to the 
main system program.) 
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CHAPTER 6 
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING 



In Protected Virtual Address Mode, the iAPX 
286 provides an advanced architecture that 
retains substantial compatibility with the 8086 
and other processors in the iAPX 86 family. 
In many respects, the baseline architecture of 
the processor remains constant regardless of 
the mode of operation. Application program- 
mers continue to use the same set of instruc- 
tions, addressing modes, and data types in 
Protected Mode as in Real Address Mode. 

The major difference between the two modes 
of operation is that the Protected Mode 
provides system programmers with additional 
architectural features, supplementary to the 
baseline architecture, that can be used to good 
advantage in the design and implementation 
of advanced systems. Especially noteworthy 
are the mechanisms provided for memory 
management, protection, and multitasking. 

This chapter focuses on the memory manage- 
ment mechanisms of Protected Mode; the 
concept of a virtual address and the process 
of virtual-to-physical address translation are 
described in detail in this chapter. Subse- 
quent chapters deal with other key aspects of 
Protected Mode operation. Chapter 7 
discusses the issue of protection and the 
integrated mechanisms that support a system- 
wide protection policy. Chapter 8 discusses the 
notion of a task and its central role in the 
iAPX 286 architecture. Chapters 9 through 
11 discuss certain additional topics — inter- 
rupt handling, special instructions, system 
initialization, etc. — that complete the system 
programmer's view of iAPX 286 Protected 
Mode. 

6.1 MEMORY MANAGEMENT OVERVIEW 

A memory management scheme interposes a 
mapping operation between logical addresses 



(i.e., addresses as they are viewed by 
programs) and physical addresses (i.e., actual 
addresses in real memory). Since the logical 
address spaces are independent of physical 
memory (dynamically relocatable), the 
mapping (the assignment of real address space 
to virtual address space) is transparent to 
software. This allows the program develop- 
ment tools (for static systems) or the system 
software (for reprogrammable systems) to 
control the allocation of space in real memory 
without regard to the specifics of individual 
programs. 

Application programs may be translated and 
loaded independently since they deal strictly 
with virtual addresses. Any program can be 
relocated to use any available segments of 
physical memory. 

The iAPX 286, when operated in Protected 
Mode, provides an efficient on-chip memory 
management architecture. Moreover, as 
described in Chapter 11, the iAPX 286 also 
supports the implementation of virtual 
memory systems — that is, systems that 
dynamically swap chunks of code and data 
between real memory and secondary storage 
devices (e.g., a disk) independent of and 
transparent to the executing application 
programs. Thus, a program-visible address is 
more aptly termed a virtual address rather 
than a logical address since it may actually 
refer to a location not currently present in real 
memory. 

Memory management, then, consists of a 
mechanism for mapping the virtual addresses 
that are visible to the program onto the 
physical addresses of real memory. With the 
iAPX 286, segmentation is the key to virtual 
memory addressing. Virtual memory is parti- 
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tioned into a number of individual segments, 
which are the units of memory that are 
mapped into physical memory and swapped 
to and from secondary storage devices. Most 
of this chapter is devoted to a detailed discus- 
sion of the mapping and virtual memory 
mechanisms of the iAPX 286. 

The concept of a task also plays a significant 
role in memory management since distinct 
memory mappings may be assigned to the 
different tasks in a multitask or multi-user 
environment. A complete discussion of tasks 
is deferred until Chapter 8, "Tasks and State 
Transition." For present purposes, it is suffi- 
cient to think of a task as an ongoing process, 
or execution path, that is dedicated to a 
particular function. In a multi-user time- 
sharing environment, for example, the 
processing required to interact with a partic- 
ular user may be considered as a single task, 
functionally independent of the other tasks 
(i.e., users) in the system. 

6.2 VIRTUAL ADDRESSES 

In Protected Mode, application programs deal 
exclusively with virtual addresses; programs 
have no access whatsoever to the actual 
physical addresses generated by the proces- 
sor. As discussed in Chapter 2, an address is 
specified by a program in terms of two 
components: (1) a 16-bit effective address 
offset that determines the displacement, in 
bytes, of a location within a segment; and (2) 
a 16-bit segment selector that uniquely refer- 
ences a particular segment. Jointly, these two 
components constitute a complete 32-bit 
address (pointer data type), as shown in 
figure 6- 1 . 

These 32-bit virtual addresses are manipu- 
lated by programs in exactly the same way as 
the two-component addresses of Real Address 
Mode. After a program loads the segment 
selector component of an address into a 



segment register, each subsequent reference 
to locations within the selected segment 
requires only a 16-bit offset be specified. 
Locality of reference will ordinarily insure 
that addresses can be specified very efficiently 
using only 1 6-bit offsets. 

An important difference between Real 
Address Mode and Protected Mode, however, 
concerns the actual format and information 
content of segment selectors. In Real Address 
Mode, as with the 8086 and other processors 
in the iAPX 86 family, a 16-bit selector is 
merely the upper bits of a segment's physical 
base address. By contrast, segment selectors 
in Protected Mode follow an entirely differ- 
ent format, as illustrated by figure 6-2. 

Two of the selector bits, designated as the 
RPL field in figure 6-2, are not actually 
involved in the selection and specification of 
segments; their use is discussed in Chapter 7. 
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Figure 6-1. 32-Bit Virtual Address 
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The remaining 14 bits of the selector compo- 
nent uniquely designate a particular segment. 
The virtual address space of a program, 
therefore, may encompass as many as 16,384 
(2 14 ) distinct segments. Segments themselves 
are of variable size, ranging from as small as 
a single byte to as large as 64K (2 16 ) bytes. 
Thus, a program's virtual address space may 
contain, altogether, up to a full gigabyte 
( 2 3o = 2 m x 2 16 ) of individually addressable 
byte locations. 

The entirety of a program's virtual address 
space is further subdivided into two separate 
halves, as distinguished by the TI ("table 
indicator") bit in the virtual address. These 
two halves are the global address space and 
the local address space. 

The global address space is used for system- 
wide data and procedures including operating 
system software, library routines, runtime 
language support and other commonly shared 



system services. (To application programs, the 
operating system appears to be a set of service 
routines that are accessible to all tasks.) 
Global space is shared by all tasks to avoid 
unnecessary replication of system service 
routines and to facilitate shared data and 
interrupt handling. Global address space is 
defined by addresses with a zero in the TI bit 
position; it is identically mapped for all tasks 
in the system. 

The other half of the virtual address space — 
comprising those addresses with the TI bit 
set — is separately mapped for each task in the 
system. Because such an address space is local 
to the task for which it is defined, it is referred 
to as a local address space. In general, code 
and data segments within a task's local 
address space are private to that particular 
task or user. Figure 6-3 illustrates the task 
isolation made possible by partitioning the 
virtual address spaces into local and global 
regions. 
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Figure 6-3. Address Spaces and Task Isolation 
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Within each of the two regions addressable 
by a program — either the global address space 
or a particular local address space — as many 
as 8,192 (2 13 ) distinct segments may be 
defined. The INDEX field of the segment 
selector allows for a unique specification of 
each of these segments. This 13-bit quantity 
acts as an index into a memory-resident table, 
called a descriptor table, that records the 
mapping between segment address and the 
physical locations allocated to each distinct 
segment. (These descriptor tables, and their 
role in virtual-to-physical address translation, 
are described in the sections that follow.) 

In summary, a Protected Mode virtual 
address is a 32-bit pointer to a particular byte 
location within a one-gigabyte virtual address 
space. Each such pointer consists of a 1 6-bit 
selector component and a 16-bit offset 
component. The selector component, in turn, 
comprises a 13-bit table index, a 1-bit table 
indicator (local versus global), and a 2-bit 
RPL field; all but this last field serve to select 
a particular segment from among the 16K 
segments in a task's virtual address space. The 
offset component of a full pointer is an 
unsigned 16-bit integer that specifies the 
desired byte location within the selected 
segment. 

6.3 DESCRIPTOR TABLES 

A descriptor table is a memory-resident table 
either defined by program development tools 
in a static system or controlled by operating 
system software in systems that are repro- 
grammable. The descriptor table contents 
govern the interpretation of virtual addresses. 
Whenever the iAPX 286 decodes a virtual 
address, translating a full 32-bit pointer into 
a corresponding 24-bit physical address, it 
implicitly references one of these tables. 

Within a Protected Mode system, there are 
ordinarily several descriptor tables resident in 



memory. One of these is the global descriptor 
table (GDT); this table provides a complete 
description of the global address space. In 
addition, there may be one or more local 
descriptor tables (LDTs), each describing the 
local address space of one or more tasks. 

For each task in the system, a pair of descrip- 
tor tables — consisting of the GDT (shared by 
all tasks) and a particular LDT (private to 
the task or to a group of closely related 
tasks) — provides a complete description of 
that task's virtual address space. The protec- 
tion mechanism described in Chapter 7, 
"Protection," ensures that a task is granted 
access only to its own virtual address space. 
In the simplest of system configurations, tasks 
can reside entirely within the GDT without 
the use of local descriptor tables. This will 
simplify system software by only requiring 
maintenance of one table (the GDT) at the 
expense of no isolation between tasks. The 
point is: the iAPX 286 memory management 
scheme is flexible enough to accommodate a 
variety of implementations and does not 
require use of all possible facilities when 
implementing a system. 

The descriptor tables consist of a sequence of 
8-byte entries called descriptors. A descriptor 
table may contain from 1 to 8192 entries. 

Within a descriptor table, two main classes of 
descriptors are recognized by the iAPX 286 
architecture. The most important of these, 
from the standpoint of memory management, 
are called segment descriptors; these deter- 
mine the set of segments that are included 
within a given address space. The other class 
of special-purpose control descriptors — such 
as call gates and task descriptors — are 
provided to implement protection (described 
in succeeding chapters) and special system 
data segments. 
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Figure 6-4 shows the format of a segment 
descriptor. Note that it provides information 
about the physical-memory base address and 
size of a segment, as well as certain access 
information. If a particular segment is to be 
included within a virtual address space, then 
a segment descriptor that describes that 
segment must be included within the appro- 
priate descriptor table. Thus, within the GDT, 
there are segment descriptors for all of the 
segments that comprise a system's global 
address space. Similarly, within a task's LDT, 
there must be a descriptor for each of the 
segments that are to be included in that task's 
local address space. 

Each local descriptor table is itself a special 
system segment, recognizable as such by the 
iAPX 286 architecture and described by a 
specific type of segment descriptor (see figure 
6-5). Because there is only a single GDT 
segment, it is not defined by a segment 
descriptor. Its base and size information is 
maintained in a dedicated register, GDTR, as 
described below (section 6.6.2). 

Similarly, there is another dedicated register 
within the iAPX 286, LDTR, that records the 
base and size of the current LDT segment 
(i.e., the LDT associated with the currently 
executing task). The LDTR register state, 
however, is volatile: its contents are automat- 
ically altered whenever a task switch is made 
from one task to another. An alternate speci- 
fication independent of changeable register 
contents must therefore exist for each LDT 
in the system. This independent specification 
is accomplished by means of special system 
segment descriptors known as descriptor table 
descriptors or LDT descriptors. 

Figure 6-5 shows the format of a descriptor 
table descriptor. (Note that it is distinguished 
from an ordinary segment descriptor by the 
contents of certain bits in the access byte.) 



This special type of descriptor is used to 
specify the physical base address and size of 
a local descriptor table that defines the virtual 
address space and address mapping for an 
individual user or task (figure 6-6). 
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Figure 6-6. LDT Descriptor 



Each LDT segment in a system must lie 
within that system's global address space. 
Thus, all of the descriptor table descriptors 
must be included among the entries in the 
global descriptor table (the GDT) of a system. 
In fact, these special descriptors may appear 
only in the GDT. Reference to an LDT 
descriptor within an LDT will cause a protec- 
tion violation. Even though they are in the 
global address space available to all tasks, the 
descriptor table descriptors are protected from 
corruption within the GDT since they are 
special system segments and can only be 
accessed for loading into the LDTR register. 



6.4 VIRTUAL-TO-PHYSICAL ADDRESS 
TRANSLATION 

The translation of a full 32-bit virtual address 
pointer into a real 24-bit physical address is 
shown by figure 6-7. When the segment's base 
address is determined as a result of the 
mapping process, the offset value is added to 
the result to obtain the physical address. 

The actual mapping is performed on the 
selector component of the virtual address. The 
1 6-bit segment selector is mapped to a 24-bit 
segment base address via a segment descrip- 
tor maintained in one of the descriptor tables. 
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Figure 6-7. Virtual-to-Physical Address Translation 

The TI bit in the segment selector (see figure 
6-2) determines which of two descriptor 
tables, either the GDT or the current LDT, 
is to be chosen for memory mapping. In either 
case, using the GDTR or LDTR register, the 
processor can readily determine the physical 
base address of the memory-resident table. 

The INDEX field in the segment selector 
specifies a particular descriptor entry within 
the chosen table. The processor simply multi- 
plies this index value by 8 (the length of a 
descriptor), and adds the result to the base 
address of the descriptor table in order to 
access the appropriate segment descriptor in 
the table. 

Finally, the segment descriptor contains the 
physical base address of the target segment, 
as well as size (limit) and access information. 
The processor sums the 24-bit segment base 
and the specified 1 6-bit offset to generate the 
resulting 24-bit physical address. 



6.5 SEGMENTS AND SEGMENT 
DESCRIPTORS 

Segments are the basic units of iAPX 286 
memory management. In contrast to schemes 
based on fixed-size pages, segmentation allows 
for a very efficient implementation of 
software: variable-length segments can be 
tailored to the exact requirements of an 
application. Segmentation, moreover, is 
consistent with the way a programmer 
naturally deals with his virtual address space: 
programmers are encouraged to divide code 
and data into clearly defined modules and 
structures which are manipulated as con- 
sistent entities. This reduces (minimizes) the 
potential for virtual memory thrashing. 
Segmentation also eliminates the restrictions 
on data structures that span a page (e.g., a 
word that crosses page boundaries). 

Each segment within an iAPX 286 system is 
defined by an associated segment descriptor, 
which may appear in one or more descriptor 
tables. Its inclusion within a descriptor table 
represents the presence of its associated 
segment within the virtual address space 
defined by that table. Conversely, its ommis- 
sion from a descriptor table means that the 
segment is absent from the corresponding 
address space. 

As shown previously in figure 6-4, an 8-byte 
segment descriptor encodes the following 
information about a particular segment: 



• Size. This 1 6-bit field, comprising the first 
two bytes of a segment descriptor, speci- 
fies an unsigned integer as the size, in bytes 
(from 1 byte to 64K bytes), of the segment. 

Unlike segments in the 8086 (or the iAPX 
286 in Real Address Mode) — which are 
never explicitly limited to less than a full 
64K bytes — Protected Mode segments are 
always assigned a specific size value. In 
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conjunction with the protection features 
described in Chapter 7, this assigned size 
allows the enforcement of a very desirable 
and natural rule: inadvertent accesses to 
locations beyond a segment's actual 
boundaries are prohibited. 

• Base. This 24-bit field, comprising bytes 2 
through 4 of a segment descriptor, speci- 
fies the physical base address of the 
segment; it thus defines the actual location 
of the segment within the 16-megabyte real 
memory space. The base may be any byte 
address within the 16-megabyte real 
memory space. 

• Access. This 8-bit field comprises byte 5 of 
a segment descriptor. This access byte 
specifies a variety of additional informa- 
tion about a segment, particularly in regard 
to the protection features of the iAPX 286. 
For example, code segments are distin- 
guished from data segments; and certain 
special access restrictions (such as Execute- 
Only or Read-Only ) may be defined for 
segments of each type. 

Figure 6-8 shows the access byte format for 
both code and data segment descriptors. 
Detailed discussion of the protection related 
fields within an access byte (Conforming, 
Execute-Only, Descriptor Privilege Level, 
Expand Down, and Write-Permitted), and 
their use in implementing protection policies, 
is deferred to Chapter 7. The two fields 
Accessed and Present are used for virtual 
memory implementations. 

6.6 MEMORY MANAGEMENT REGISTERS 

The Protected Virtual Address Mode features 
of the iAPX 286 operate at high performance 
due to extensions to the basic iAPX 86 regis- 
ter set. Figure 6-9 illustrates that portion of 
the extended register structure that pertains 
to memory management. (For a complete 
summary of all Protected Mode registers, 
refer to section 10.1). 
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Figure 6-9. Memory Management Registers 



6.6.1 Segment Address Translation 
Registers 

Figure 6-9 shows the segment registers 
CS,DS,ES, and SS. In contrast to their usual 
representation, however, these registers are 
now depicted as 64-bit registers, each with 
"visible" and "hidden" components. 

The visible portions of these segment address 
translation registers are manipulated by 
programs exactly as if they were simply the 
16-bit segment registers of Real Address 
Mode. By loading a segment selector into one 
of these registers, the program makes the 
associated segment one of its four currently 
addressable segments. 



The operations that load these registers — or, 
more exactly, those that load the visible 
portion of these registers — are normal 
program instructions. These instructions may 
be divided into two categories: 

1. Direct load instructions. These instruc- 
tions (such as LDS, LES, MOV, POP, 
etc.) explicitly reference the SS, DS, or ES 
segment registers as the destination 
operand. 

2. Implied load instructions. These instruc- 
tions (such as CALL and JMP) implicitly 
reference the CS code segment register; as 
a result of these operations, the contents of 
CS are altered. 
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Using these instructions, a program loads the 
visible part of the segment register with a 
16-bit selector (i.e., the high-order word of a 
virtual address pointer). Whenever this is 
done, the processor automatically references 
the appropriate descriptor table and loads the 
hidden part of the segment register with a 
corresponding 48-bit descriptor. 

The correspondence between selectors and 
descriptors has already been described. 
Remember that the selector's TI bit indicates 
one of the two descriptor tables, either the 
LDT or the GDT. Within the indicated table, 
a particular entry is chosen by the selector's 
13-bit INDEX field. This index, scaled by a 



factor of 8, represents the relative displace- 
ment of the chosen table entry (a descriptor). 

Thus, so long as a particular selector value is 
valid (i.e., it points to a valid segment 
descriptor within the bounds of the descriptor 
table), it can be readily associated with an 
8-byte descriptor. When a selector value is 
loaded into the visible part of a segment 
register, the iAPX 286 automatically loads 6 
bytes of the associated descriptor into the 
hidden part of the register. These 6 bytes, 
therefore, contain the size, base, and access 
type of the selected segment. Figure 6-10 
illustrates this transparent process of 
descriptor loading. 
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Figure 6-10. Descriptor Loading 
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In effect, the hidden descriptor fields of the 
segment registers function as the memory 
management cache of the iAPX 286. All the 
information required to address the current 
working set of segments — that is, the base 
address, size, and access rights of the 
currently addressable segments — is stored in 
this memory cache. Unlike the probabilistic 
caches of other architectures, however, the 
iAPX 286 cache is completely deterministic: 
the caching of descriptors is explicitly 
controlled by the program. 

Most memory references do not require the 
translation of a full 32-bit virtual address, or 
long pointer. Operands that are located within 
one of the currently addressable segments, as 
determined by the four segment registers, can 
be referenced very efficiently by means of a 
short pointer, which is simply a 1 6-bit offset. 

In fact, most iAPX 286 instructions reference 
memory locations in precisely this way, speci- 
fying only a 16-bit offset with respect to one 
of the currently addressable segments. The 
choice of segments (CS, DS, ES, or SS) is 
either implicit within the instruction itself, or 
explicitly specified by means of a segment- 
override prefix (as described in Chapter 2). 

Thus, in most cases, virtual-to-physical 
address translation is actually performed in 
two separate steps. First, when a program 
loads a new value into a segment register, the 
processor immediately performs a mapping 
operation; the physical base address of the 
selected segment (as well as certain additional 
information) is automatically loaded into the 
hidden portion of the register. The internal 
cache registers (virtual address translation 
hardware) are therefore dynamically shared 
among the 16K different segments poten- 
tially addressable within the user's virtual 
address space. No software overhead (either 
system or application) is required to perform 
this operation. 



Subsequently, as the program utilizes a short 
pointer to reference a location within a 
segment, the processor generates a 24-bit 
physical address simply by adding the speci- 
fied offset value to the previously cached 
segment base address. By encouraging the use 
of short pointers in this way, rather than 
requiring a full 32-bit virtual address for every 
memory reference, the iAPX 286 provides a 
very efficient on-chip mechanism for address 
translation, with minimum overhead for 
references to memory-based tables or the need 
for external address-translation devices. 

6.6.2 System Address Registers 

The Global Descriptor Table Register 
(GDTR) is a dedicated 40-bit (5 byte) regis- 
ter used to record the base and size of a 
system's global descriptor table (GDT). Thus, 
two of these bytes define the size of the GDT, 
and three bytes define its base address. 

In figure 6-9, the contents of the GDTR are 
referred to as a "hidden descriptor." The term 
"descriptor" here emphasizes the analogy with 
the segment descriptors ordinarily found in 
descriptor tables. Just as these descriptors 
specify the base and size (limit) of ordinary 
segments, the GDTR register specifies these 
same parameters for that segment of memory 
serving as the system GDT. The limit prevents 
accesses to descriptors in the GDT from 
accessing beyond the end of the GDT and thus 
provides address space isolation at the system 
level as well as at the task level. 

The register contents are "hidden" only in the 
sense that they are not accessible by means 
of ordinary instructions. Instead, the 
dedicated protected instructions LGDT and 
SGDT are reserved for loading and storing, 
respectively, the contents of the GDTR at 
Protected Mode initialization (refer to section 
10.2 for details). Subsequent alteration of the 
GDT base and size values is not recom- 
mended but is a system option at the most 
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privileged level of software (see section 7.3 for 
a discussion of privilege levels). 

The Local Descriptor Table Register (LDTR) 
is a dedicated 40-bit register that contains, at 
any given moment, the base and size of the 
local descriptor table (LDT) associated with 
the currently executing task. Unlike GDTR, 
the LDTR register contains both a "visible" 
and a "hidden" component. Only the visible 
component is accessible, while the hidden 
component remains truly inaccessible even to 
dedicated instructions. 

The visible component of the LDTR is a 
16-bit "selector" field. The format of these 
16 bits corresponds exactly to that of a 
segment selector in a virtual address pointer. 
Thus, it contains a 13-bit INDEX field, a 1- 
bit TI field, and a 2-bit RPL field. The TI 
"table indicator" bit must be zero, indicating 
a reference to the GDT (i.e., to global address 
space). The INDEX field consequently 
provides an index to a particular entry within 
the GDT. This entry, in turn, must be an LDT 
descriptor (or descriptor table descriptor), as 
defined in the previous section. In this way, 
the visible "selector" field of the LDTR, by 
selecting an LDT descriptor, uniquely desig- 
nates a particular LDT in the system. 

The dedicated, protected instructions LLDT 
and SLDT are reserved for loading and 
storing, respectively, the visible selector 
component of the LDTR register (refer to 
section 10.2 for details). Whenever a new 
value is loaded into the visible "selector" 
portion of LDTR, an LDT descriptor will 



have been uniquely chosen (assuming, of 
course, that the "selector" value is valid). In 
this case, the iAPX 286 automatically loads 
the hidden "descriptor" portion of LDTR with 
five bytes from the chosen LDT descriptor. 
Thus, size and base information about a 
particular LDT, as recorded in a memory- 
resident global descriptor table entry, is 
cached in the LDTR register. 

New values may be loaded into the visible 
portion of the LDTR (and, thus, into the 
hidden portion as well) in either of two ways. 
The LLDT instruction, during system initial- 
ization, is used explicitly to set an initial value 
for the LDTR register; in this way, a local 
address space is provided for the first task in 
a multitasking environment. After system 
startup, explicit changes are not required since 
operations that automatically invoke a task 
switch (described in section 8.4) appropri- 
ately manage the LDTR. 

At all times, the LDTR register thus records 
the physical base address (and size) of the 
current task's LDT; the descriptor table 
required for mapping the current local address 
space, therefore, is immediately accessible to 
the processor. Moreover, since GDTR always 
maintains the base address of the GDT, the 
table that maps the global address space is 
similarly accessible. The two system address 
registers, GDTR and LDTR, act as a special 
processor cache, maintaining current infor- 
mation about the two descriptor tables 
required, at any given time, for addressing the 
entire current virtual address space. 
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PROTECTION 



7.1 INTRODUCTION 

In most microprocessor based products, the 
product's availability, quality, and reliability 
are determined by the software it contains. 
Software is often the key to a product's 
success. Protection is a tool used to shorten 
software development time, and improve 
software quality and reliability. 

Program testing is an important step in 
developing software. A system with protec- 
tion will detect software errors more quickly 
and accurately than a system without protec- 
tion. Eliminating errors via protection reduces 
the development time for a product. 

Testing software is difficult. Many errors 
occur only under complex circumstances 
which are difficult to anticipate. The result is 
that products are shipped with undetected 
errors. When such errors occur, products 
appear unreliable. The impact of a software 
error is multiplied if it introduces errors in 
other bug-free programs. Thus, the total 
system reliability reduces to that of the least 
reliable program running at any given time. 

Protection improves the reliability of an entire 
system by preventing software errors in one 
program from affecting other programs. 
Protection can keep the system running even 
when some user program attempts an invalid 
or prohibited operation. 

Hardware protection performs run-time 
checks in parallel with the execution of the 
program. But, hardware protection has tradi- 
tionally resulted in a design that is more 
expensive and slower than a system without 
protection. However, the iAPX 286 provides 
hardware-enforced protection without the 
performance or cost penalties normally 
associated with protection. 



The protected mode iAPX 286 implements 
extensive protection by integrating these 
functions on-chip. The iAPX 286 protection 
is more comprehensive and flexible than 
comparable solutions. It can locate and isolate 
a large number of program errors and prevent 
the propagation of such errors to other tasks 
or programs. The protection of the total 
system detects and isolates bugs both during 
development and installed usage. 

The remaining sections of this chapter explain 
the protection model implemented in the 
iAPX 286. 

7.1.1 Types of Protection 

Protection in the iAPX 286 has three basic 
aspects: 

1. Isolation of system software from user 
applications. 

2. Isolation of users from each other (Inter- 
task protection). 

3. Data-type checking. 

The iAPX 286 provides a four-level, ringed- 
type, increasingly-privileged protection 
mechanism to isolate applications software 
from various layers of system software. This 
is a major improvement and extension over 
the simpler two-level user/supervisor mecha- 
nism found in many systems. Software 
modules in a supervisor level are protected 
from modules in the application level and 
from software in less privileged supervisor 
levels. 

Restricting the addressability of a software 
module enables an operating system to control 
system resources and priorities. This is 
especially important in an environment that 
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supports multiple concurrent users. Multi- 
user, multi-tasking, and distributed process- 
ing systems require this complete control of 
system resources for efficient, reliable 
operation. 

The second aspect of protection is isolating 
users from each other. Without such isolation 
an error in one user program could affect the 
operation of another error-free user program. 
Such subtle interactions are difficult to 
diagnose and repair. The reliability of appli- 
cations programs is greatly enhanced by such 
isolation of users. 

Within a system or application level program, 
the iAPX 286 will ensure that all code and 
data segments are properly used (e.g., data 
cannot be executed, programs cannot be 
modified, and offset must be within defined 
limits, etc.). Such checks are performed on 
every memory access to provide full run-time 
error checking. 



7.1.2 Protection Implementation 

The protection hardware of the iAPX 286 
establishes constraints on memory and 
instruction usage. The number of possible 
interactions between instructions, memory, 
and I/O devices is practically unlimited. Out 
of this very large field the protection mecha- 
nism limits interactions to a controlled, 
understandable subset. Within this subset fall 
the list of "correct" operations. Any opera- 
tion that does not fall into this subset is not 
allowed by the protection mechanism and is 
signalled as a protection violation. 

To understand protection on the iAPX 286, 
you must begin with its basic parts: segments 
and tasks. iAPX 286 segments are the small- 
est region of memory which have unique 
protection attributes. Modular programming 
automatically produces separate regions of 



memory (segments) whose contents are 
treated as a whole. Segments reflect the 
natural construction of a program, e.g., code 
for module A, data for module A, stack for 
the task, etc. All parts of the segment are 
treated in the same way by the iAPX 286. 
Logically separate regions of memory should 
be in separate segments. 

The memory segmentation model (see figure 
7-1) of the iAPX 286 was designed to 
optimally execute code for software composed 
of independent modules. Modular programs 
are easier to construct and maintain. 
Compared to monolithic software systems, 
modular software systems have enhanced 
capabilities, and are typically easier to develop 
and test for proper operation. 

Each segment in the system is defined by a 
memory-resident descriptor. The protection 
hardware prevents accesses outside the data 
areas and attempts to modify instructions, 
etc., as defined by the descriptors. Segmen- 
tation on the iAPX 286 allows protection 
hardware to be integrated into the CPU for 
full data access control without any perform- 
ance impact. 

The segmented memory architecture of the 
iAPX 286 provides unique capabilities for 
regulating the transfer of control between 
programs. 

Programs are given direct but controlled 
access to other procedures and modules. This 
capability is the heart of isolating application 
and system programs. Since this access is 
provided and controlled directly by the iAPX 
286 hardware, there is no performance 
penalty. A system designer can take advan- 
tage of the iAPX 286 access control to design 
high-performance modular systems with a 
high degree of confidence in the integrity of 
the system. 
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Figure 7-1. Addressing Segments of a Module within a Task 



Access control between programs and the 
operating system is implemented via address 
space separation and a privilege mechanism. 
The address space control separates applica- 
tions programs from each other while the 
privilege mechanism isolates system software 
from applications software. The privilege 
mechanism grants different capabilities to 
programs to access code, data, and I/O 
resources based on the associated protection 
level. Trusted software that controls the whole 
system is typically placed at the most privi- 
leged level. Ordinary application software 
does not have to deal with these control 



mechanisms. They come into play only when 
there is a transfer of control between tasks, 
or if the Operating System routines have to 
be invoked. 

The protection features of multiple privilege 
levels extend to ensuring reliable I/O control. 
However, for a system designer to enable only 
one specific level to do I/O would excessively 
constrain subsequent extensions or applica- 
tion development. Instead, the iAPX 286 
permits each task to be assigned a separate 
minimum level where I/O is allowed. I/O 
privilege is discussed in section 10.3. 
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An important distinction exists between tasks 
and programs. Programs (e.g., instructions in 
code segments) are static and consist of a 
fixed set of code and data segments each with 
an associated privilege level. The privilege 
assigned to a program determines what the 
program may do when executed by a task. 
Privilege is assigned to a program when the 
system is built or when the program is loaded. 

Tasks are dynamic; they execute one or more 
programs. Task privilege changes with time 
according to the privilege level of the program 
being executed. Each task has a unique set of 
attributes that define it, e.g., address space, 
register values, stack, data, etc. A task may 
execute a program if that program appears in 
the task's address space. The rules of protec- 
tion control determine when a program may 
be executed by a task, and once executed, 
determine what the program may do. 

7.2 MEMORY MANAGEMENT AND 
PROTECTION 

The protection hardware of the iAPX 286 is 
related to the memory management hardware. 



Since protection attributes are assigned to 
segments, they are stored along with the 
memory management information in the 
segment descriptor. The protection informa- 
tion is specified when the segment is created. 
In addition to privilege levels, the descriptor 
defines the segment type (e.g., Code segment, 
Data segment, etc.). Descriptors may be 
created either by program development tools 
or by a loader in a dynamically loaded repro- 
grammable environment. 

The protection control information consists of 
a segment type, its privilege level, and size. 
These are fields in the access byte of the 
segment descriptor (see figure 7-2). This 
information is saved on-chip in the program- 
mer invisible section of the segment register 
for fast access during execution. These entries 
are changed only when a segment register is 
loaded. The protection data is used at two 
times: upon loading a segment register and 
upon each reference to the selected segment. 

The hardware performs several checks while 
loading a segment register. These checks 
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Figure 7-2. Descriptor Cache Registers 
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enforce the protection rules before any 
memory reference is generated. The hardware 
verifies that the selected segment is valid (is 
identified by a descriptor, is in memory, and 
is accessible from the privilege level in which 
the program is executing) and that the type 
is consistent with the target segment register. 
For example, you cannot load a read-only 
segment descriptor into SS because the stack 
must always be writable. 

Each reference into the segment defined by a 
segment register is checked by the hardware 
to verify that it is within the defined limits of 
the segment and is of the proper type. For 
example, a code segment or read-only data 
segment cannot be written. All these checks 
are made before the memory cycle is started; 
any violation will prevent that cycle from 
starting and cause an exception to occur. 
Since the checks are performed concurrently 
with address formation, there is no perform- 
ance penalty. 

By controlling the access rights and privilege 
attributes of segments, the system designer 
can assure a program will not change its code 
or over write data belonging to another task. 
Such assurances are vital to maintaining 
system integrity in the face of error-prone 
programs. 



Each descriptor table is itself a special kind 
of segment recognized by the iAPX 286 
architecture. These tables are defined by 
descriptors in the GDT (Global Descriptor 
Table). The CPU has a set of base and limit 
registers that point to the GDT and the LDT 
of the currently running task. The descriptor 
table registers are loaded by a task switch 
operation. 



An active task can only load selectors that 
reference segments defined by descriptors in 
either the GDT or its private LDT. Since a 
task cannot reference descriptors in other 
LDTs, and no descriptors in its LDT refer to 
data or code belonging to other tasks, it 
cannot gain access to another tasks' private 
code and data (see figure 7-3). 



Since the GDT contains information that is 
accessible by all users (e.g., library routines, 
common data, Operating System services, 
etc.), the iAPX 286 uses privilege levels and 
special descriptor types to control access (see 
section 7.2.2). Privilege levels protect more 
trusted data and code (in GDT and LDT) 
from less trusted access (WITHIN a task), 
while the private virtual address spaces 
defined by unique LDTs provide protection 
BETWEEN tasks (see figure 7-4). 



7.2.1 Separation of Address Spaces 

As described in Chapter 6, each task can 
address up to a gigabyte (2 14 — 1 segments of 
up to 65536 bytes each) of virtual memory 
defined by the task's LDT (Local Descriptor 
Table) and the system GDT. Up to one-half 
gigabyte (2 13 — 1 segments of up to 65536 
bytes each) of the task's address space is 
defined by the LDT and represents the task's 
private address space. The remaining virtual 
address space is defined by the GDT and is 
common to all tasks in the system. 



7.2.2 LDT and GDT Access Checks 

All descriptor tables have a limit used by the 
protection hardware to ensure address space 
separation of tasks. Each task's LDT can be 
a different size as defined by its descriptor in 
the GDT. The GDT may also contain less 
than 8091 descriptors as defined by the GDT 
limit value. The descriptor table limit identi- 
fies the last valid byte of the last descriptor 
in that table. Since each descriptor is eight 
bytes long, the limit value is NX 8 — 1 for N 
descriptors. 
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Any attempt by a program to load a segment 
register, local descriptor table register 
(LDTR), or task register (TR) with a selec- 
tor that refers to a descriptor outside the 
corresponding limit causes an exception with 
an error code identifying the invalid selector 
used (see figure 7-5). 

Not all descriptor entries in the GDT or LDT 
need contain a valid descriptor. There can be 



holes, or "empty" descriptors, in the LDT and 
GDT. "Empty" descriptors allow dynamic 
allocation and deletion of segments or other 
system objects without changing the size of 
the GDT or LDT. Any descriptor with an 
access byte equal to zero is considered empty. 
Any attempt to load a segment register with 
a selector that refers to an empty descriptor 
will cause an exception with an error code 
identifying the invalid selection. 
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Figure 7-3. iAPX 286 Virtual Address Space 
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Figure 7-4. Local and Global Descriptor Table Definition 
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7.2.3 Type Validation 

After checking that a selector reference is 
within the bounds of a descriptor table and 
refers to a non-empty descriptor, the type of 
segment defined by the descriptor is checked 
against the destination register. Since each 
segment register has predefined functions, 
each must refer to certain types of segments 
(see section 7.4.1). An attempt to load a 
segment register in violation of the protection 
rules causes an exception. 

The "null" selector is a special type of 
segment selector. It has an index field of all 
zeros and a table indicator of 0. The null 
selector appears to refer to GDT descriptor 
entry #0. This selector value may be used as 
a place holder in the DS or ES segment regis- 
ters; it may be loaded into them without 
causing an exception. However, any attempt 
to use the null segment registers to reference 
memory will cause an exception and prevent 
any memory cycle from occurring. 

7.3 PRIVILEGE LEVELS AND PROTECTION 

As explained in section 6.2, each task has its 
own separate virtual address space defined by 
its LDT. All tasks share a common address 
space defined by the GDT. The system 
software then has direct access to task data 
and can treat all pointers in the same way. 

Protection is required to prevent programs 
from improperly using code or data that 
belongs to the operating system. The four 
privilege levels of the iAPX 286 provide the 
isolation needed between the various layers of 
the system. The iAPX 286 privilege levels are 
numbered from to 3, where is the most 
trusted level, 3 the least. 

Privilege level is a protection attribute 
assigned to all segments. It determines which 
procedures can access the segment. Like 
access rights and limit checks, privilege checks 



are automatically performed by the hardware, 
and thus protects both data and code 
segments. 

Privilege on the iAPX 286 is hierarchical. 
Operating system code and data segments 
placed at the most privileged level (0) cannot 
be accessed directly by programs at other 
privilege levels. Programs at privilege level 
may access data at all other levels. Programs 
at privilege levels 1-3 may only access data at 
the same or less trusted (numerically greater) 
privilege levels. Figure 7-6 illustrates the 
privilege level protection of code or data 
within tasks. 

In figure 7-6, programs can access data at the 
same or outer level, but not at inner levels. 
Code and data segments placed at level 1 
cannot be accessed by programs executing at 
levels 2 or 3. Programs at privilege level can 
access data at level 1 in the course of provid- 
ing service to that level. iAPX 286 provides 
mechanisms for inter-level transfer of control 
when needed (see section 7.5). 

The four privilege levels of the iAPX 286 are 
an extension of the typical two-level user/ 
supervisor privilege mechanism. Like user 
mode, application programs in the outer level 
are not permitted direct access to data 
belonging to more privileged system services 
(supervisor mode). The iAPX 286 adds two 
more privilege levels to provide protection for 
different layers of system software (system 
services, I/O drivers, etc.). 

7.3.1 Example of Using Four Privilege 
Levels 

Two extra privilege levels allow development 
of more reliable, and flexible system software. 
This is achieved by dividing the system into 
small, independent units. Figure 7-6 shows an 
example of the usage of different protection 
levels. Here, the most privileged level is called 
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Figure 7-6. Code and Data Segments Assigned to a Privilege Level 



the kernel. This software would provide basic, 
application-independent, CPU-oriented 
services to all tasks. Such services include 
memory management, task isolation, multi- 
tasking, inter-task communication, and I/O 
resource control. Since the kernel is only 
concerned with simple functions and cannot 
be affected by software at other privilege 
levels, it can be kept small, safe, and under- 
standable. 

Privilege level one is designated system 
services. This software provides high-level 
functions like file access scheduling, charac- 
ter I/O, data communcations, and resource 
allocation policy which are commonly 
expected in all systems. Such software 



remains isolated from applications programs 
and relies on the services of the kernel, yet 
cannot affect the integrity of level 0. 

Privilege level 2 is the custom operating 
system extensions level. It allows standard 
system software to be customized. Such 
customizing can be kept isolated from errors 
in applications programs, yet cannot affect the 
basic integrity of the system software. 
Examples of customized software are the data 
base manager, logical file access services, etc. 

This is just one example of protection mecha- 
nism usage. Levels 1 and 2 may be used in 
many different ways. The usage (or non- 
usage) is up to the system designer. 
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Programs at each privilege level are isolated 
from programs at outer layers, yet cannot 
affect programs in inner layers. Programs 
written for each privilege level can be smaller, 
easier to develop, and easier to maintain than 
a monolithic system where all system software 
can affect all other system software. 

7.3.2 Privilege Usage 

Privilege applies to tasks and three types of 
descriptors: 

1. Main memory segments 

2. Gates (control descriptors for state or task 
transitions, discussed in sections 7.5.1, 
7.5.3, 8.3, 8.4 and 9.2) 

3. Task state segments (discussed in 
Chapter 8). 

Task privilege is a dynamic value. It is derived 
from the code segment currently being 
executed. Task privilege can change only 
when a control transfers to a different code 
segment. 

Descriptor privilege, including code segment 
privilege, is assigned when the descriptor (and 
any associated segment) is created. The 
system designer assigns privilege directly 
when the system is constructed with the 
system builder (see the iAPX 286 Builder 
User's Guide) or indirectly via a loader. 

Each task operates at only one privilege level 
at any given moment: namely that of the code 
segment being executed. (The conforming 
segments discussed in section 11.2 permit 
some flexibility in this regard.) However, as 
figure 7-5 indicates, the task may contain 
segments at one, two, three, or four levels, all 
of which are to be used at appropriate times. 
The privilege level of the task, then, changes 
under the carefully enforced rules for trans- 
fer of control from one code segment to 
another. 



The descriptor privilege attribute is stored in 
the access byte of a descriptor and is called 
the Descriptor Privilege Level (DPL). Task 
privilege is called the Current Privilege Level 
(CPL). The least significant two bits of the 
CS register specify the CPL. 

A few general rules of privilege can be stated 
before the detailed discussions of later 
sections. Data access is restricted to those 
segments whose privilege level is the same or 
less privileged (numerically greater) than the 
current privilege level (CPL). Direct code 
access, e.g., via call or jump, is restricted to 
code segments of equal privilege. A gate 
(section 7.5.1) is required for access to code 
at more privileged levels. 

7.4 SEGMENT DESCRIPTOR 

Although the format of access control infor- 
mation, discussed below, is similar for both 
data and code segment descriptors, the rules 
for accessing data segments differ from those 
for transferring control to code segments. 
Data segments are meant to be accessible 
from many privilege levels, e.g., from other 
programs at the same level or from deep 
within the operating system. The main 
restriction is that they cannot be accessed by 
less privileged code. 

Code segments, on the other hand, are meant 
to be executed at a single privilege level. 
Transfers of control that cross privilege 
boundaries are tightly restricted, requiring the 
use of gates. Control transfers within a privi- 
lege level can also use gates, but they are not 
required. Control transfers are discussed in 
section 7.5. 

Protection checks are automatically invoked 
at several points in selecting and using new 
segments. The process of addressing memory 
begins when the currently executing program 
attempts to load a selector into one of the 
segment registers. As discussed in Chapter 6, 
the selector has the form shown in figure 7-7. 
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When a new selector is loaded into a segment 
register, the processor accesses the associated 
descriptor to perform the necessary loading 
and privilege checks. 



The protection mechanism verifies that the 
selector points to a valid descriptor type for 
the segment register (see section 7.4.1). After 



verifying the descriptor type, the CPU 
compares the privilege level of the task (CPL) 
to the privilege level in the descriptor (DPL) 
before loading the descriptor's information 
into the cache. 

The general format of the eight bits in the 
segment descriptor's access rights byte is 
shown in table 7-1. 
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Figure 7-7. Selector Fields 
Table 7-1. Segment Access Rights Byte Format 



Bit 


Name 


Description 


7 

6,5 
4 


Present 

DPL 
Segment 


1 means Present and addressable in real memory; means not 
present. See section 1 1 .3. 

2-bit Descriptor Privilege Level, to 3. 

1 means Segment descriptor; means control descriptor. 


For Segment= 1 , the remaining bits have the following meanings: 


3 
2 

1 




Executable 
Cor ED 

RorW 

Accessed 


1 means code, means data. 

If code, Conforming: 1 means yes, no. 

If data, Expand Down: 1 yes, no— normal case. 

If code, Readable: 1 means readable, not. 
If data, Writable: 1 means writable, not. 

1 if segment descriptor has been Accessed, if not. 



NOTE: When the Segment bit (bit 4) is 0, the descriptor is for a gate, a task state segment, or a Local Descriptor 
Table, and the meanings of bits through 3 change. Control transfers and descriptors are discussed in 
section 7.5. 
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For example, the access rights byte for a data 
and code segment present in real memory but 
not yet accessed (at the same privilege level) 
are shown in figure 7-8. 

Whenever a segment descriptor is loaded into 
a segment register, the accessed bit in the 
descriptor table is set to 1. This bit is useful 
for determining the usage profile of the 
segment. 

NOTE 

The Intel reserved bytes in the segment 
descriptor must be set to for compati- 
bility with iAPX 386. 

7.4.1 Data Accesses 

Data may be accessed in data segments or 
readable code segments. When DS or ES is 
loaded with a new selector, e.g., by an LDS, 
LES, or MOV to ES, SS, or DS instruction, 



the bits in the access byte are checked to 
verify legitimate descriptor type and access 
(see table 7-2). If any test fails, an error code 
is pushed onto the stack identifying the selec- 
tor involved (see figure 7-5 for the error code 
format). 

A privilege check is made when the segment 
register is loaded. In general, a data segment's 
DPL must be numerically greater than or 
equal to the CPL. The DPL of a descriptor 
loaded into the SS must equal the CPL. 
Conforming (readable) code segments are an 
exception to privilege checking rules. 

Once the segment descriptor and selector are 
loaded, the offset of subsequent accesses 
within the segment are checked against the 
limit given in the segment descriptor. Violat- 
ing the segment size limit causes a General 
Protection exception with an error code of 0. 
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Figure 7-8. Access Byte Example 
Table 7-2. Allowed Segment Types in Segment Registers 



Segment Register 


Allowed Segment Types 


Read Only 


Read-Write 


Execute Only 


Execute-Read 




Data Segment 


Data Segment 


Code Segment 


Code Segment 


DS 


Yes 


Yes 


No 


Yes 


ES 


Yes 


Yes 


No 


Yes 


SS 


No 


Yes 


No 


No 


CS 


No 


No 


Yes 


Yes 
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A normal data segment is addressed with 
offset values ranging from to the size of the 
segment. When the ED bit of the access rights 
byte in the segment descriptor is 0, the 
allowed range of offsets is 0000H to the limit. 
If limit is OFFFFH, the data segment contains 
65536 bytes. 

Since stacks normally occupy different offset 
ranges (lower limit to OFFFFH) than data 
segments, the limit field of a segment 
descriptor can be interpreted in two ways. The 
Expand Down (ED) bit in the access byte 
allows offsets for stack segments to be greater 
than the limit field. When ED is 1, the 
allowed range of offsets within the segment is 
limit +1 to OFFFFH. To allow a full stack 
segment, set ED to 1 and the limit to 
OFFFFH. The ED bit of a data segment 
descriptor does not have to be set for use in 
SS (i.e., it will not cause an exception). 
Section 7.5.4 discusses stack segment usage 
in greater detail. An expand down (ED=1) 
segment can be loaded into ES or DS. 

Limit and access checks are performed before 
any memory reference is started. For stack 
push instructions (PUSH, PUSHA, ENTER, 
CALL, INT), a possible limit violation is 
identified before any internal registers are 
updated. Therefore, these instructions are 
fully restartable after a stack size violation. 



7.4.2 Code Segment Access 

Code segments are accessed via CS for 
execution. Segments that are execute-only can 
ONLY be executed; they cannot be accessed 
via DS or ES, nor read via CS with a CS 
override prefix. If a segment is executable (bit 
3 = 1 in the access byte), access via DS or ES 
is possible only if it is also readable. Thus, 
any code segment that also contains data must 
be readable. (Refer to Chapter 2 for a discus- 
sion of segment override prefixes.) 



An execute-only segment preserves the 
privacy of the code against any attempt to 
read it; such an attempt causes a general 
protection fault with an error code of 0. A 
code segment cannot be loaded into SS and is 
never writable. Any attempted write will 
cause a general protection fault with an error 
code of 0. 

The limit field of a code segment descriptor 
identifies the last byte in the segment. Any 
offset greater than the limit value will cause 
general protection. The prefetcher of the 
iAPX 286 can never cause a code segment 
limit violation. The program must attempt to 
execute an instruction beyond the end of the 
code segment to cause an exception. 

If a readable non-conforming code segment is 
to be loaded into DS or ES, the privilege level 
requirements are the same as those stated for 
data segments in 7.4.1. 

Code segments are subject to different privi- 
lege checks when executed. The normal privi- 
lege requirement for a jump or call to another 
code segment is that the current privilege level 
equal the descriptor privilege level of the new 
code segment. Jumps and calls within the 
current code segment automatically obey this 
rule. 

Return instructions may pass control to code 
segments at the same or less (numerically 
greater) privileged level. Code segments at 
more privileged levels may only be reached 
via a call through a call gate as described in 
section 7.5. 

An exception to this, previously stated, is the 
conforming code segment that allows the DPL 
of the requested code segment to be numeri- 
cally less than (of greater privilege than) the 
CPL. Conforming code segments are 
discussed in section 1 1.2. 
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7.4.3 Data Access Restriction by 
Privilege Level 

This section describes privilege verification 
when accessing either data segments (loading 
segment selectors into DS, ES, or SS) or 
readable code segments. Privilege verification 
when loading CS for transfer of control across 
privilege levels is described in the next section. 

Three basic kinds of privilege level indicators 
are used when determining accessibility to a 
segment for reading and writing. They are 
termed Current Privilege Level (CPL), 
Descriptor Privilege Level (DPL), and 
Requested Privilege Level (RPL). The CPL 
is simply the privilege level of the code 
segment that is executing (except if the 
current code segment is conforming). It is 
stored as bits and 1 of the CS and SS 
registers. 

DPL is the privilege level of the segment; it is 
stored in bits 5 and 6 of the access byte of a 
descriptor. For data access to data segments 
and non-conforming code segments, CPL 
must be numerically less than or equal to DPL 
(the task must be of equal or greater privi- 
lege) for access to be granted. Violation of this 
rule during segment load instruction causes a 
general protection exception with an error 
code identifying the selector. 

While the enforcement of DPL protection 
rules provides the mechanism for the isola- 
tion of code and data at different privilege 
levels, it is conceivable that an erroneous 
pointer passed onto a more trusted program 
might result in the illegal modification of data 
with a higher privilege level. This possibility 
is prevented by the enforcement of effective 
privilege level protection rules and correct 
usage of the RPL value. 

The RPL (requested privilege level) is used 
for pointer validation. It is the least signifi- 



cant two bits in the selector value loaded into 
the segment register. RPL is intended to 
indicate the privilege level of the originator of 
that selector. A selector may be passed down 
through several procedures at different levels. 
The RPL reflects the privilege level of the 
original supplier of the selector, not the privi- 
lege level of the intermediate supplier. The 
RPL must be numerically less than or equal 
to the DPL of the descriptor selected, thereby 
indicating greater or equal privilege of the 
supplier; otherwise, access is denied and a 
general protection violation occurs. 

Pointer validity testing is required in any 
system concerned with preventing program 
errors from destroying system integrity. The 
iAPX 286 provides hardware support for 
pointer validity testing. The RPL field 
indicates the privilege level of the originator 
of the pointer to the hardware. Access will be 
denied if the originator of the pointer did not 
have access to the selected segment even if 
the CPL is numerically less than or equal to 
the DPL. RPL can reduce the effective privi- 
lege of a task when using a particular selec- 
tor. RPL never allows access to more 
privileged segments (CPL must always be less 
than or equal to DPL). 

A fourth term is sometimes used: the Effec- 
tive Privilege Level (EPL). It is defined as the 
numeric maximum of the CPL and the 
RPL — meaning the one of lesser privilege. 
Access to a protected entity is granted only 
when the EPL is numerically less than or 
equal to the DPL of that entity. This is simply 
another way of saying that both CPL and 
RPL must be less than or equal to DPL for 
access to be granted. 

7.4.4 Pointer Privilege Stamping via ARPL 

The ARPL instruction is provided in the 
iAPX 286 to fill the RPL field of a selector 
with the minimum privilege (maximum 
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numeric value) of the selector's current RPL 
and the caller's CPL (given in an instruction- 
specified register). A straight insertion of the 
caller's CPL would mark the pointer with the 
privilege level of the caller, but not necessar- 
ily the ultimate originator of the selector (e.g., 
Level 3 supplies a selector to a level 2 routine 
that calls a level routine with the same 
selector). 

Figure 7-9 shows a program with an example 
of such a situation. The program at privilege 
level 3 calls a routine at level 2 via a gate. 
The routine at level 2 uses the ARPL instruc- 
tion to assure that the selector's RPL is 3. 
When the level 2 routine calls a routine at 
level and passes the selector, the ARPL 
instruction at level leaves the RPL field 
unchanged. 

Marking a pointer with the originator's privi- 
lege eliminates the complex and time- 
consuming software typically associated with 
pointer validation in less comprehensive 
architectures. The iAPX 286 hardware 
performs the pointer test automatically while 
loading the selector. 

Privilege errors are trapped at the time the 
selector is loaded because pointers are 
commonly passed to other routines, and it 
may not be possible to identify a pointer's 
originator. To verify the access capabilities of 



a pointer, it should be tested when the pointer 
is first received from an untrusted source. The 
VERR (Verify Read), VERW (Verify 
Write), and LAR (Load Access Rights) 
instructions are provided for this purpose. 

Although pointer validation is fully supported 
in the iAPX 286, its use is an option of the 
system designer. To accommodate systems 
that do not require it, RPL can be ignored by 
setting selector RPLs to zero (except stack 
segment selectors) and not adjusting them 
with the ARPL instruction. 

7.5 CONTROL TRANSFERS 

Three kinds of control transfers can occur 
within a task: 

1. Within a segment, causing no change of 
privilege level (a short jump, call, or 
return). 

2. Between segments at the same privilege 
level (a long jump, call, or return). 

3. Between segments at different privilege 
levels (a long call, or return). (NOTE: A 
JUMP to a different privilege level is not 
allowed.) 

The first two types of control transfers need 
no special controls (with respect to privilege 
protection) beyond those discussed in 
section 7.4. 
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Figure 7-9. Pointer Privilege Stamping 
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Inter-level transfers require special consider- 
ation to maintain system integrity. The 
protection hardware must check that: 

• The task is currently allowed to access the 
destination address. 

• The correct entry address is used. 

To achieve control transfers, a special 
descriptor type called a gate is provided to 
mediate the change in privilege level. Control 
transfer instructions call the gate rather than 
transfer directly to a code segment. From the 
viewpoint of the program, a control transfer 
to a gate is the same as to another code 
segment. 

Gates allow programs to use other programs 
at more privileged levels in the same manner 
as a program at the same privilege level. 
Programmers need never distinguish between 
programs or subroutines that are more privi- 
leged than the current program and those that 
are not. The system designer may, however, 
elect to use gates only for control transfers 
that cross privilege levels. 

7.5.1 Gates 

A gate is a four-word descriptor used to 
redirect a control transfer to a different code 
segment in the same or more privileged level 
or to a different task. There are four types of 
gates: call, trap, interrupt, and task gates. The 
access rights byte distinguishes a gate from a 
segment descriptor, and determines which 
type of gate is involved. Figure 7-10 shows the 
format of a gate descriptor. 

A key feature of a gate is the re-direction it 
provides. All four gate types define a new 
address which transfers control when invoked. 
This destination address normally cannot be 
accessed by a program. Loading the selector 
to a call gate into SS, DS, or ES will cause a 
general protection fault with an "error code 
identifying the invalid selector. 



Only the selector portion of an address is used 
to invoke a gate. The offset is ignored. All that 
a program need know about the desired 
function is the selector required to invoke the 
gate. The iAPX 286 will automatically start 
the execution at the correct address. 

A further advantage of a gate is that it 
provides a fixed address for any program to 
invoke another program. The calling 
program's address remains unaltered even if 
the entry address of the destination program 
changes. Thus, gates provide a fixed set of 
entry points that allow a task to access 
Operating System functions such as simple 
subroutines, yet the task is prohibited from 
simply jumping into the middle of the 
Operating System. 

Call gates, as described in the next section, 
are used for control transfers within a task 
which must either be transparently redirected 
or which require an increase in privilege level. 
A call gate normally specifies a subroutine at 
a greater privilege level, and the called routine 
returns via a return instruction. Call gates also 
support delayed binding (resolution of target 
routine addresses at run-time rather than 
program-generation-time). 

Trap and interrupt gates handle interrupt 
operations that are to be serviced within the 
current task. Interrupt gates cause interrupts 
to be disabled; trap gates do not. Trap and 
interrupt gates both require a return via the 
interrupt return instruction. 

Task gates are used to control transfers 
between tasks and to make use of task state 
segments for task control and status infor- 
mation. Tasks are discussed in Chapter 8, 
interrupts in Chapter 9. 

In the iAPX 286 protection model, each 
privilege level has its own stack. Therefore, a 
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control transfer (call or return) that changes 
the privilege level causes a new stack to be 
invoked. 



7.5.1.1 CALL GATES 

Call gate descriptors are used by call and 
jump instructions in the same manner as a 
code segment descriptor. The hardware 
automatically recognizes that the destination 
selector refers to a gate descriptor. Then, the 
operation of the instruction is expanded as 
determined by the contents of the call gate. 
A jump instruction can access a call gate only 
if the target code segment is at the same 



privilege level. A call instruction uses a call 
gate for the same or more privileged access. 

A call gate descriptor may reside in either the 
GDT or the LDT, but not in the IDT. Figure 
7-10 gives the complete layout of a call gate 
descriptor. 

A call gate can be referred to by either the 
long JMP or CALL instructions. From the 
viewpoint of the program executing a JMP or 
CALL instruction, the fact that the destina- 
tion was reached via a call gate and not 
directly from the destination address of the 
instruction is not apparent. 
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Figure 7-10. Gate Descriptor Format 
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lege and presence will be checked. The gate's 
DPL (in the access byte) is checked against 
the EPL (MAX (task CPL, selector RPL)). 
If EPL > CPL, the program is less privi- 
leged than the gate and therefore it may not 
make a transition. In this case, a general 
protection fault occurs with an error code 
identifying the gate. Otherwise, the gate is 
accessible from the program executing the 
call, and the control transfer is allowed to 
continue. After the privilege checks, the 
descriptor presence is checked. If the present 
bit of the gate access rights byte is (i.e., the 
target code segment is not present), no present 
fault occurs with an error code identifying the 
gate. 

The checks indicated in table 7-3 are applied 
to the contents of the call gate. Violating any 
of them causes the exception shown. The low 
order two bits of the error code are zero for 
these exceptions. 

7.5.1.2 INTRA-LEVEL TRANSFERS VIA CALL GATE 

The transfer is Intra-level if the destination 
code segment is at the same privilege level as 
CPL. Either the code segment is non- 
conforming with DPL = CPL or it is 
conforming, with DPL < CPL (see section 
11.2 for this case). The 32-bit destination 
address in the gate is loaded into CS:IP. 



The following is a description of the protec- 
tion checks performed while transferring 
control (with the CALL instruction) through 
a call gate: 

• Verifying that access to the call gate is 
allowed. One of the protection features 
provided by call gates is the access checks 
made to determine if the call gate may 
be used (i.e., checking if the privilege level 
of the calling program is adequate). 

• Determining the destination address and 
whether a privilege transition is required. 
This feature makes privilege transitions 
transparent to the caller. 

• Performing the privilege transition, if 
required. 

Verifying access to a call gate is the same for 
any call gate and is independent of whether a 
JMP or CALL instruction was used. The rules 
of privilege used to determine whether a data 
segment may be accessed are employed to 
check if a call gate may be jumped-to or 
called. Thus, privileged subroutines can be 
hidden from untrusted programs by the 
absence of a call gate. 

When an inter-segment CALL or JMP 
instruction selects a call gate, the gate's privi- 



Table 7-3. Call Gate Checks 



Type of Check 


Fault' 1 ' 


Error Code 


Selector is not Null 


GP 





Selector is within Descriptor Table Limit 


GP 


Selector ID 


Descriptor is a Code Segment 


GP 


Code segment 


Code Segment is Present 


NP 


Code Segment id 


Nonconforming Code Segment 


GP 


Code Segment id 


DPL > CPL 







NOTES: 

(1) GP = General Protection, NP = Not-Present Exception. 

The offset portion of the JMP or CALL destination address which refers to a call gate is always ignored. 
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If the IP value is not within the limit of the 
code segment, a general protection fault 
occurs with an error code of 0. If a CALL 
instruction is used, the return address is saved 
in the normal manner. The only effect of the 
call gate is to place a different address into 
CS:IP than that specified in the destination 
address of the JMP or CALL instruction. This 
feature is useful for systems which require 
that a fixed address be provided to programs, 
even though the entry address for the routine 
may change due to different functions, 
software changes, or segment relocation. 

7.5.1.3 INTER-LEVEL CONTROL TRANSFER VIA 
CALL GATES 

If the destination code segment of the call 
gate is at a different privilege level than the 
CPL, an inter-level transfer is being 
requested. However, if the destination code 



segment DPL < CPL, then a general protec- 
tion fault occurs with an error code identify- 
ing the destination code segment. 

The gate guarantees that all transitions to a 
more privileged level will go to a valid entry 
point rather than possibly into the middle of 
a procedure (or worse, into the middle of an 
instruction). See figure 7-11. 

Calls to more privileged levels may be 
performed only through call gates. A JMP 
instruction can never cause a privilege change. 
Any attempt to use a call gate in this manner 
will cause a general protection fault with an 
error code identifying the gate. Returns to 
more privileged levels are also prohibited. 
Inter-level transitions due to interrupts use a 
different gate, as discussed in Chapter 9. 
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Figure 7-11. Call Gate 
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The RPL field of the CS selector saved as part 
of the return address will always identify the 
caller's CPL. This information is necessary to 
correctly return to the caller's privilege level 
during the return instruction. Since the CALL 
instruction places the CS value on the more 
privileged stack, and JMP instructions cannot 
change privilege levels, it is not possible for a 
program to maliciously place an invalid return 
address on the caller's stack. 



7.5.1.4 STACK CHANGES CAUSED BY CALL GATES 

To maintain system integrity, each privilege 
level has a separate stack. These stacks assure 
sufficient stack space to process calls from less 
privileged levels. Without them, trusted 
programs may not work correctly, especially 
if the calling program does not provide suffi- 
cient space on the caller's stack. 

When a call gate is used to change privilege 
levels, a new stack is selected as determined 
by the new CPL. The new stack pointer value 
is loaded from the Task State Segment (TSS). 
The privilege level of the new stack data 
segment must equal the new CPL; if it does 
not, a task stack fault occurs with the saved 
machine state pointing at the CALL instruc- 
tion and the error code identifying the invalid 
stack selector. 

The new stack should contain enough space 
to hold the return address, and all parameters 
and local variables required to process the call. 
The initial stack pointers for privilege levels 
0-2 in the TSS are strictly read only values. 
They are never changed during the course of 
execution. 

The normal technique for passing parameters 
to a subroutine is to place them onto the stack. 
To make privilege transitions transparent to 
the called program, a call gate specifies that 
parameters are to be copied from the old stack 



to the new stack. The word count field in a 
call gate (see figure 7-10) specifies how many 
words (up to 31) are to be copied from the 
caller's stack to the new stack. If the word 
count is zero, no parameters are copied. 

Before copying the parameters, the new stack 
is checked to assure that it is large enough to 
hold the parameters; if it is not, a stack fault 
occurs with an error code of 0. After the 
parameters are copied, the return link is on 
the new stack (i.e., a pointer to the old stack 
is placed in the new stack). In particular, the 
return address is pointed at by SS:SP. The 
call and return example of figure 7- 1 2 illus- 
trate the stack contents after a successful 
inter-level call. 

The stack pointer of the caller is saved above 
the caller's return address as the first two 
words pushed onto the new stack. The caller's 
stack can only be saved for calls to proce- 
dures at privilege levels 2, 1 , and 0. Since level 
3 cannot be called by any procedure at any 
other privilege level, the level 3 stack will 
never contain links to other stacks. 

Procedures requiring more than the 31 words 
for parameters that may be called from 
another privilege level must use the saved 
SS:SP link to access all parameters beyond 
the last word copied. 

The call gate does not check the values of the 
words copied onto the new stack. The called 
procedure should check each parameter for 
validity. Section 11.3 discusses how the 
ARPL, VERR, VERW, LSL, and LAR 
instructions can be used to check pointer 
values. 



7.5.2 Inter-level Returns 

An inter-segment return instruction can also 
change levels, but only toward programs of 
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Figure 7-12. Stack Contents After an Inter-Level Call 



equal or lesser privilege (when code segment 
DPL is numerically greater or equal than the 
CPL). The RPL of the selector popped off the 
stack by the return instruction identifies the 
privilege level to resume execution of the 
calling program. 

When the RET instruction encounters a saved 
CS value whose RPL > CPL, an inter-level 
return occurs. Checks shown in table 7-4 are 
made during such a return. 

The old SS:SP value is then adjusted by the 
number of bytes indicated in the RET 
instruction and loaded into SS:SP. The new 
SP value is not checked for validity. If SP is 
invalid it is not recognized until the first stack 



operation. The SS:SP value of the returning 
program is not saved. (Note: this value 
normally is the same as that saved in the 
TSS.) 

The last step in the return is checking the 
contents of the DS and ES descriptor regis- 
ter. If DS or ES refer to segments whose DPL 
is greater than the new CPL (excluding 
conforming code segments), the segment 
registers are loaded with the null selector. Any 
subsequent memory reference that attempts 
to use the segment register containing the null 
selector will cause a general protection fault. 
This prevents less privileged code from 
accessing more privileged data previously 
accessed by the more privileged program. 
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Table 7-4. Inter-Level Return Checks 



Type of Check 


Exception* 


Error Code 


SP is not a Segment Limit 


SF 





SP + N + 7 is not in Segment Limit 


SF 





RPL of Return CS is Greater than CPL 


GP 


Return CS id 


Return CS Selector is not null 


GP 


Return CS id 


Return CS segment is within Descriptor Table Limit 


GP 


Return CS id 


Return CS Descriptor is a Code Segment 


GP 


Return CS id 


Return CS Segment is Present 


NP 


Return CS id 


DPL of Return Non-Conforming Code Segment = RPL of CS 


GP 


Return CS id 


SS Selector at SP + N + 6 is not Null 


SF 


Return SS id 


SS Selector at SP + N + 6 is within Descriptor Table Limit 


SF 


Return SS id 


SS Descriptor is Writable Data Segment 


SF 


Return SS id 


SS Segment is Present 


SF 


Return SS id 


SS Segment DPL = RPL of CS 


SF 


Return SS id 



*SF = Stack Fault, GP = General Protection Exception, NP = Not-Present Exception 
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CHAPTER 8 
TASKS AND STATE TRANSITIONS 



8.1 INTRODUCTION 

An iAPX 286 task is a single, sequential 
thread of execution. Each task can be isolated 
from all other tasks. There may be many tasks 
associated with an iAPX 286 CPU, but only 
one task executes at any time. Switching the 
CPU from executing one task to executing 
another can occur as the result of either an 
interrupt or an inter-task call or jump. A 
hardware recognized data structure defines 
each task. 

The iAPX 286 provides a high performance 
task switch operation with complete isolation 
between tasks. A full task-switch operation 
takes only 22 microseconds at 8 MHz 
(18 microseconds at 10 MHz). High- 
performance, interrupt-driven, multi- 
application systems that need the benefits of 
protection are feasible with the 80286. 

A performance advantage and system design 
advantage arise from the iAPX 286 task 
switch: 

• Faster task switch: A task switch is a 
single instruction performed by micro- 
code. Such a scheme is 2-3 times faster 
than an explicit task switch instruction. 
A fast task switch translates to a signifi- 
cant performance boost for heavily multi- 
tasked systems over conventional 
methods. 

• More reliable, flexible systems: The 
isolation between tasks and the high speed 
task switch allows interrupts to be 
handled by separate tasks rather than 
within the currently interrupted task. This 
isolation of interrupt handling code from 
normal programs prevents undesirable 
interactions between them. The interrupt 



system can become more flexible since 
adding an interrupt handler is as safe and 
easy as adding a new task. 

• Every task is protected from all others via 
the separation of address spaces described 
in Chapter 7 (unless explicit sharing is 
planned in advance). If the address spaces 
of two tasks include no shared data, one 
task cannot affect the data of another 
task. Code sharing is always safe since 
code segments may never be written into. 

8.2 TASK STATE SEGMENTS AND 
DESCRIPTORS 

Tasks are defined by a special control segment 
called a Task State Segment (TSS). The 
definition of a task includes its address space 
and execution state. A task is invoked (made 
active) by inter-segment jump or call instruc- 
tions whose destination address refers to a 
task state segment or a task gate. 

The Task State Segment (TSS) has a special 
descriptor. The Task Register within the CPU 
contains a selector to that descriptor. Each 
TSS selector value is unique, providing an 
unambiguous "identifier" for each task. Thus, 
an operating system can use the value of the 
TSS selector to uniquely identify the task. 

A TSS contains 22 words that define the 
contents of all registers and flags, the initial 
stacks for privilege levels 0-2, the LDT selec- 
tor, and a link to the TSS of the previously 
executing task. Figure 8-1 shows the layout 
of the TSS. 

Each TSS consists of two parts, a static 
portion and a dynamic portion. The static 
entries are never changed by the iAPX 286, 
while the dynamic entries are changed by each 
task switch out of this task. The static portions 
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Figure 8-1. Task State Segment and TSS Registers 
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of this segment are the task LDT selector and 
the initial stack pointer address for 
levels 0-2. 

The modifiable or dynamic portion of the task 
state segment consists of all dynamically- 
variable and programmer-visible processor 
registers, including flags, segment registers, 
and the instruction pointer. It also includes 
the linkage word used to chain nested invoca- 
tions of different tasks. 

The link word provides a history of which 
tasks invoked others. The link word is impor- 
tant for restarting an interrupted task when 
the interrupt has been serviced. Placing the 
back link in the TSS protects it from improper 
use by the interrupt task. 

The stack pointer entries in the TSS for privi- 
lege levels 0-2 are static (i.e., never written 
during a privilege or task switch). They define 
the stack to use upon entry to that privilege 
level. When entering a more privileged level, 
the caller's stack pointer is saved on the stack 
of the new privilege level, not in the TSS. 
Leaving the privilege level requires popping 
the caller's return address and stack pointer 
off the current stack. The stack pointer at that 
point will be the same as the initial value 
loaded from the TSS upon entry to the 
privilege level. 



There is only one stack active at any time, the 
one defined by the SS and SP registers. The 
only other stacks that may be active are those 
at outer (less privileged) levels that called the 
current level. Stacks for inner levels cannot 
be active since outward (to numerically larger 
privilege levels) calls from inner levels are not 
allowed. 

The location of the stack pointer for an outer 
privilege level will always be found at the start 
of the stack of the inner privilege level called 
by that level. That stack may be the initial 
stack for this privilege level or an outer level. 
Look at the start of the stack for this privi- 
lege level. If the RPL of the saved SS selector 
is the privilege level required, then use the 
SS:SP value there. Otherwise, go to the 
beginning of the stack defined by that value 
and look at the saved SS:SP value there. 

8.2.1 Task State Segment Descriptors 

A special descriptor is used for task state 
segments. This descriptor must be accessible 
at all times; therefore, it can appear only in 
the GDT. The access byte distinguishes TSS 
descriptors from data or code segment 
descriptors. When bits 1 through 4 of the 
access byte are 0001 or 0003, the descriptor 
is for a TSS. 

The complete layout of a task state segment 
descriptor is shown in figure 8-2. 
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Figure 8-2. TSS Descriptor 
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Like a data segment; the descriptor contains 
a base address and limit field. The limit must 
be at least 002BH (43) to contain the 
minimum amount of information required for 
a TSS. A task fault will occur if an attempt 
is made to switch to a task whose TSS 
descriptor limit is less than 43. 

The P-bit (Present) flag indicates whether this 
descriptor contains currently valid informa- 
tion: 1 means yes, no. A task switch that 
attempts to reference a not-present TSS 
causes a not-present exception code identify- 
ing the task state segment selector. 

The descriptor privilege level (DPL) controls 
use of the TSS by JMP or CALL instruc- 
tions. By the same reasoning as that for call 
gates, DPL can prevent a program from 
calling the TSS and thereby cause a task 
switch. Section 8.3 discusses privilege consid- 
erations during a task switch in greater detail. 

Bit 4 is always since TSS is a control 
segment descriptor. Control segments cannot 
be accessed by SS, DS, or ES. Any attempt 
to load those segment registers with a selec- 
tor that refers to a control segment causes 
general protection. This rule prevents the 
program from improperly changing the 
contents of a control segment. 

TSS descriptors can have two states: idle and 
busy. Bit 1 of the access byte distinguishes 
them. The distinction is necessary since tasks 
are not re-entrant; a busy TSS may not be 
invoked. 



descriptor. The offset portion of the 
destination address is ignored. 

2. An IRET instruction is executed when 
the NT bit in the flag word = 1 . The new 
task TSS selector is in the back link field 
of the current TSS. 

3. The destination selector of a long JMP or 
CALL instruction refers to a task gate. 
The offset portion of the destination 
address is ignored. The new task TSS 
selector is in the gate. (See section 8.5 for 
more information on task gates.) 

4. An interrupt occurs. This interrupt's 
vector refers to a task gate in the inter- 
rupt descriptor table. The new task TSS 
selector is in the gate. See section 9.4 for 
more information on interrupt tasks. 

No new instructions are required for a task 
switch operation. The standard iAPX 86 
JMP, CALL, IRET, or interrupt operations 
perform this function. The distinction between 
the standard instruction and a task switch is 
made either by the type of descriptor refer- 
enced or by the NT bit in flag word. The 
choice of technique depends on whether a task 
is being made active or idle and whether 
return from the new task is expected. 

Using the call instruction to switch tasks 
implies a return is expected from the called 
task. The jump instruction implies no return 
is expected from the new task. 

The IRET instruction causes a return to the 
task that called this one. 



8.3 TASK SWITCHING 

A task switch may occur in one of four ways: 

1 . The destination selector of a long JMP or 
CALL instruction refers to a TSS 



The task gate is the preferred method of 
servicing an interrupt in an isolated task. 

Access to TSS and task gate descriptors is 
restricted by the rules privilege level. The data 
access rules are used, thereby allowing task 
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switches to be restricted to programs of suffi- 
cient privilege. Address space separation does 
not apply to TSS descriptors since they must 
be in the GDT. The access rules for inter- 
rupts are discussed in section 9.4. 

For JMP or CALL instructions that refer- 
ence a TSS or task gate, the effective privi- 
lege level of the destination selector (i.e., the 
numeric maximum of the selector's RPL and 
current CPL) must be less than or equal to 
the descriptor DPL. If it is not, a general 
protection fault will occur with an error code 
identifying the descriptor. 

Once access to the TSS has been granted, the 
task switch operation involves six steps: 

1. Recognizing that the JMP/CALL/IRET 
instruction or interrupt requires a task 
switch: One of the four ways shown in 
section 8.3 must be used for this. The new 
TSS to use is defined either directly by 
the TSS descriptor selected by the 
instruction or is in the task gate. 

2. Checking that the current task is allowed 
to switch to the designated task: Data 
access privilege rules are applied for the 
JMP/CALL cases. The current task 
becomes the outgoing task. 

3. Checking that the new task is present and 
has a proper TSS limit: The new task 
becomes the incoming task. 

4. Saving the state of the outgoing task: The 
outgoing TSS selector is in the TR. The 
dynamic portion of the outgoing TSS is 
written with the corresponding CPU 
register values (e.g., AX, BX, CX, DX, 
SI, DI, BP, SP, ES, DS, SS, CS, IP, and 
flag register). The IP value points at the 
instruction following the one which 
caused the task switch. All errors up to 
this point are handled in the context of 



the outgoing task. The errors are restart- 
able and error handling is transparent to 
the application program. 

5. Load TR with the incoming task selec- 
tor, mark the incoming task's descriptor 
as busy, and set TS. 

6. Load the incoming task state and resume 
execution: The following registers are 
loaded: LDT, AX, BX, CX, DX, SI, DI, 
BP, SP, ES, DS, SS, CS, IP, and flag 
register. Any errors detected in this step 
are handled in the context of the incom- 
ing task. It will appear as if the first 
instruction of the new task had not yet 
executed. 

Note that the state of the outgoing task is 
always saved. If execution of that task is 
resumed, it will start the instruction that 
caused the task switch. The values of the 
registers will be the same as that when the 
task stopped running. 

Any task switch sets the Task Switched (TS) 
bit in the Machine Status Word (MSW). This 
flag is used when processor extensions such 
as the 80287 Numeric Processor Extension 
are present. The TS bit signals that the 
context of the processor extension may not 
belong to the current iAPX 286 task. Chapter 
1 1 discusses the TS bit and processor exten- 
sions in more detail. 

The checks in table 8-1 are made during the 
task switch. All the requirements shown in the 
table must be satisfied for the task switch to 
occur without an exception. For each check, 
the type of exception and error code are 
described. Up to and including step 3, the 
exception occurs in the context of the outgo- 
ing task. After step 3, the incoming task is 
considered valid. All exceptions occur in the 
context of the incoming task. 
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Table 8-1. Checks Made During a Task Switch 



Step 


Test 


Exception* 


Error Code 


1 


Incoming TSS descriptor is present 


NP 


Incoming TSS selector 


2 


Incoming TSS is idle 


GP 


Incoming TSS selector 


3 


Limit of incoming TSS greater than 43 


Invalid TSS 


Incoming TSS selector 


*** All register and selector values are loaded *** 


4 


LDT selector of incoming TSS is valid 


Invalid TSS 


Incoming TSS selector 


5 


LDT of incoming TSS is present 


Invalid TSS 


Incoming TSS selector 


6 


CS selector is valid 


Invalid TSS 


Code segment selector 


7 


Code segment is present 


NP 


Code segment selector 


8 


Code segment DPL matches CS RPL 


Invalid TSS 


Code segment selector 


9 


Stack segment is valid 


SF 


Stack segment selector 


10 


Stack segment is writable data segment 


GP 


Stack segment selector 


11 


Stack segment is present 


SF 


Stack segment selector 


12 


Stack segment DPL = CPL 


SF 


Stack segment selector 


13 


DS/ES selectors are valid 


GP 


Segment selector 


14 


DS/ES segments are readable 


GP 


Segment selector 


15 


DS/ES segments are present 


NP 


Segment selector 


16 


DS/ES segment DPL > CPL if not conform 


GP 


Segment selector 



*NP = Not-Present Exception 
GP = General Protection Fault 
SF = Stack Fault 



Validity tests on a selector ensure that the 
selector: is in the proper table (i.e., the LDT 
selector refers to GDT), lies within the bounds 
of the table, and refers to the proper type of 
descriptor (i.e., the LDT selector refers to the 
LDT descriptor). 

Note that between steps 3 and 4 in table 8-1 
all the registers are loaded. Several protec- 
tion rule violations may exist in the segment 
register contents. If the appropriate exception 
handler receives control in the context of the 
task causing the error, the DS and ES 
segments may not be accessible even though 
the segment registers contain non-zero values. 
These values must be saved for later re-use. 
When the exception handler reloads these 
segment registers, another protection excep- 
tion may occur unless the exception handler 
pre-examines them and fixes any potential 
problems. 



A task switch allows flexibility in the privi- 
lege level of the outgoing and incoming tasks. 
The privilege level at which execution resumes 
in the incoming task is not restricted by the 
privilege level of the outgoing task. This is 
reasonable since both tasks are isolated from 
each other with separate address spaces and 
machine states. The privilege rules prevent 
improper access to a TSS. The only interac- 
tion between the tasks is to the extent that 
one started the other and the incoming task 
may restart the outgoing task while executing 
an IRET or RET instruction. 

8.4 TASK LINKING 

The TSS has a field called "back link" which 
contains the selector of the TSS of a task that 
should be restarted when the current task 
completes. The back link field of an inter- 
rupt-initiated task is automatically written 
with the TSS selector of the interrupted task. 
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A task switch initiated by a CALL instruc- 
tion also points the back link at the outgoing 
task's TSS. Such task nesting is indicated to 
programs via the Nested Task (NT) bit in the 
flag word of the incoming task. 

Task nesting is necessary for interrupt 
functions to be processed as separate tasks. 
The interrupt function is thereby isolated from 
all other tasks in the system. To restart the 
interrupted task, the interrupt handler 
executes an IRET instruction much in the 
same manner as an iAPX 86 interrupt 
handler. The IRET instruction will then cause 
a task switch to the interrupted task. 

Completion of a task occurs when the IRET 
instruction is executed with the NT bit in the 
flag word set. The NT bit is automatically 
set/reset by task switch operations as appro- 
priate. Executing an IRET instruction with 
NT cleared causes the normal iAPX 86 inter- 
rupt return function to be performed. 

Executing IRET with NT set causes a task 
switch to the task defined by the back link 
field of the current TSS. The selector value is 
fetched and verified as pointing to a valid, 
accessible TSS. The normal task switch 
operation described in section 8.3 then occurs. 



After the task switch is complete, the outgo- 
ing task is now idle and considered ready to 
process another interrupt. 

Table 8-2 shows how the busy bit, NT bit, 
and link word of the incoming and outgoing 
task are affected by task switch operations 
caused by JMP, CALL, or IRET 
instructions. 

Violation of any of the busy bit requirements 
shown in table 8-2 causes a general protec- 
tion fault with the saved machine state 
appearing as if the instruction had not 
executed. The error code identifies the selec- 
tor of the TSS with the busy bit. 

A bus lock is applied during the testing and 
setting of the TSS descriptor busy bit to 
ensure that two processors do not invoke the 
same task at the same time. See also section 
1 1.4 for other multi-processor considerations. 

The linking order of tasks can be changed by 
trusted software that can correctly change the 
back link field in a TSS and busy bit of the 
descriptor. Such changes are necessary if the 
software wants to restart a task interrupted 
by another task after the interrupted task 
requests some time-consuming function. 



Table 8-2. Effect of a Task Switch on BUSY and NT Bits and the Link Word 





JMP 


CALL/INT 


IRET 


Affected Field 


Instruction 


Instruction 


Instruction 




Effect 


Effect 


Effect 


Busy bit of incoming task TSS descriptor 


Set, must be 


Set, must be 


Unchanged, 




before 


before 


must be set 


Busy bit of outgoing task TSS descriptor 


Cleared 


Unchanged 


Cleared 


NT bit in incoming task flag word 


Cleared 


Set 


Unchanged 


NT bit in outgoing task flag word 


Unchanged 


Unchanged 


Cleared 


Back link in incoming task TSS 


Unchanged 


Set to outgoing 
task TSS selector 


Unchanged 


Back link of outgoing task TSS 


Unchanged 


Unchanged 


Unchanged 



8-7 



TASKS AND STATE TRANSITIONS 



When trusted software deletes the link from 
one task to another, it should place a value in 
the backlink field, which will pass control to 
that trusted software when the task attempts 
to resume execution of another task via IRET. 

8.5 TASK GATES 

A task may be invoked by several different 
events. Task gates are provided to support this 
need. Task gates are used in the same way as 
call and interrupt gates. The ultimate effect 
of jumping to or calling a task gate is the same 
as jumping to or calling directly to the TSS 
in the task gate. 

Figure 8-3 depicts the layout of a task gate. 

A task gate is identified by the access byte 
field in bits through 4 being 00101. The gate 
provides an extra level of indirection between 
the destination address and the TSS selector 
value. The offset portion of the JMP or CALL 
destination address is ignored. 

Gate use provides flexibility in controlling 
access to tasks. Task gates can appear in the 



GDT or LDT. The TSS descriptors for all 
tasks must be kept in the GDT. They are 
normally placed at level to prevent any task 
from improperly invoking another task. Task 
gates placed in the LDT allow private access 
to selected tasks with full privilege control. 

The data segment access rules apply to 
accessing a task gate via JMP, CALL, or INT 
instructions. The effective privilege level 
(EPL) of the destination selector must be 
numerically less than or equal to the DPL of 
the task gate descriptor. Any violation of this 
requirement causes a general protection fault 
with an error code identifying the task gate 
involved. 



Once access to the task gate has been verified, 
the TSS selector from the gate is read. The 
RPL of the TSS selector is ignored. From this 
point, all the checks and actions performed 
for a JMP or CALL to a TSS after access 
has been verified are performed (see section 
8.4). Figure 8-4 illustrates an example of a 
task switch through a task gate. 
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Figure 8-3. Task Gate Descriptor 
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Figure 8-4. Task Switch Through a Task Gate 



8-9 



Interrupts And Exceptions Q 



CHAPTER 9 
INTERRUPTS AND EXCEPTIONS 



Interrupts and exceptions are special cases of 
control transfer within a program. An inter- 
rupt occurs as a result of an event that is 
independent of the currently executing 
program, while exceptions are a direct result 
of the program currently being executed. 
Interrupts may be external or internal. Exter- 
nal interrupts are generated by either the 
INTR or NMI input pins. Internal interrupts 
are caused by the INT instruction. Excep- 
tions occur when an instruction cannot be 
completed normally. Although their causes 
differ, interrupts and exceptions use the same 
control transfer techniques and privilege rules; 
therefore, in the following discussions the term 
interrupt will also apply to exceptions. 

The program used to service an interrupt may 
execute in the context of the task that caused 
the interrupt (i.e., used the same TSS, LDT, 
stacks, etc.) or may be a separate task. The 
choice depends on the function to be 
performed and the level of isolation required. 



9.1 INTERRUPT DESCRIPTOR TABLE 

Many different events may cause an inter- 
rupt. To allow the reason for an interrupt to 
be easily identified, each interrupt source is 
given a number called the interrupt vector. Up 
to 256 different interrupt vectors (numbers) 
are possible. See figure 9- 1 . 

A table is used to define the handler for each 
interrupt vector. The Interrupt Descriptor 
Table (IDT) defines the interrupt handlers for 
up to 256 different interrupts. The IDT is in 
physical memory, pointed to by the contents 
of the on-chip IDT register that contains a 
24-bit base and a 16-bit limit. The IDTR is 
normally loaded with the LIDT instruction by 
code that executes at privilege level during 
system initialization. The IDT may be located 
anywhere in the physical address space of the 
iAPX 286. 

Each IDT entry is a 4-word gate descriptor 
that contains a pointer to the handler. The 
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Figure 9-1. Interrupt Descriptor Table Definition 
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three types of gates permitted in the IDT are 
interrupt gates, trap gates (discussed in 
section 9.3), and task gates (discussed in 
section 8.5). Interrupt and task gates process 
interrupts in the same task, while task gates 
cause a task switch. Any other descriptor type 
in the IDT will cause an exception if it is 
referenced by an interrupt. 

The IDT need not contain all 256 entries. A 
16-bit limit register allows less than the full 
number of entries. Unused entries may be 
signaled by placing a zero in the access rights 
byte. If an attempt is made to access an entry 
outside the table limit, or if the wrong 
descriptor type is found, a general protection 
fault occurs with an error code identifying the 
invalid interrupt vector (see figure 9-2). 

Exception error codes that refer to an IDT 
entry can be identified by bit 1 of the error 
code that will be set. Bit of the error code 
is 1 if the interrupt was caused by an event 
external to the program (i.e., an external 
interrupt, a single step, a processor extension 
error, or a processor extension not present). 

Interrupts 0-31 are reserved for use by Intel. 
Some of the interrupts are used for instruc- 



tion exceptions. The IDT limit must be at 
least 255 to accommodate the minimum 
number of interrupts. The remaining 224 
interrupts are available to the user. 

9.2 HARDWARE INITIATED INTERRUPTS 

Hardware-initiated interrupts are caused by 
some external event that activates either the 
INTR or NMI input pins of the processor. 
Events that use the INTR input are classified 
as maskable interrupts. Events that use the 
NMI input are classified as non-maskable 
interrupts. 

All 224 user-defined interrupt sources share 
the INTR input, but each has the ability to 
use a separate interrupt handler. An 8-bit 
vector supplied by the interrupt controller 
identifies which interrupt is being signaled. To 
read the interrupt id, the processor performs 
the interrupt acknowledge bus sequence. 

Maskable interrupts (from the INTR input) 
can be inhibited by software by setting the 
interrupt flag bit (IF) to in the flag word. 
The IF bit does not inhibit exceptions or 
interrupts caused by the INT instruction. The 
IF bit also does not inhibit processor exten- 
sion interrupts. 
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Figure 9-2. IDT Selector Error Code 
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The type of gate placed into the IDT for the 
interrupt vector will control whether other 
maskable interrupts remain enabled or not 
during the servicing of that interrupt. The flag 
word that was saved on the stack reflects the 
maskable interrupt enable status of the 
processor prior to the interrupt. The proce- 
dure servicing a maskable interrupt can also 
prevent further maskable interrupts during its 
work by resetting the IF flag. 

Non-maskable interrupts are caused by the 
NMI input. They have a higher priority than 
the maskable interrupts (meaning that in case 
of simultaneous requests, the non-maskable 
interrupt will be serviced first). A non- 
maskable interrupt has a fixed vector (#2) and 
therefore does not require an interrupt 
acknowledge sequence on the bus. A typical 
use of an NMI is to invoke a procedure to 
handle a power failure or some other critical 
hardware exception. 

A procedure servicing an NMI will not be 
further interrupted by other non-maskable 
interrupt requests until an IRET instruction 
is executed. Any further NMI requests are 
remembered by the hardware and will be 
serviced after the first IRET instruction. To 
prevent a maskable interrupt from interrupt- 
ing the NMI interrupt handler, the IF flag 
should be cleared either by using an interrupt 
gate in the IDT or by setting IF = in the 
flag word of the task involved. 

9.3 SOFTWARE INITIATED INTERRUPTS 

Software initiated interrupts occur explicitly 
as interrupt instructions or may arise as the 
result of an exceptional condition that 
prevents the continuation of program execu- 
tion. Software interrupts are not maskable. 
Two interrupt instructions exist which explic- 
itly cause an interrupt: INT n and INT 3. The 
first allows specification of any interrupt 
vector; the second implies interrupt vector 3 
(Breakpoint). 



Other instructions like INTO, BOUND, DIV, 
and IDIV may cause an interrupt, depending 
on the overflow flag or values of the operands. 
These instructions have predefined vectors 
associated with them in the first 32 interrupts 
reserved by Intel. 

A whole class of interrupts called exceptions 
are intended to detect faults or programming 
errors (in the use of operands or privilege 
levels). Exceptions cannot be masked. They 
also have fixed vectors within the first 32 
interrupts. Many of these exceptions pass an 
error code on the stack, which is not the case 
with the other interrupt types discussed in 
section 9.2. Section 9.5 discusses these error 
codes as well as the priority among interrupts 
that can occur simultaneously. 

9.4 INTERRUPT GATES AND TRAP GATES 

Interrupt gates and trap gates are special 
types of descriptors that may only appear in 
the interrupt descriptor table. The difference 
between a trap and an interrupt gate is 
whether the interrupt enable flag is to be 
cleared or not. An interrupt gate specifies a 
procedure that enters with interrupts disabled 
(i.e., with the interrupt enable flag cleared); 
entry via a trap gate leaves the interrupt 
enable status unchanged. The NT flag is 
always cleared when an interrupt uses these 
gates. Interrupts that have either gate in the 
associated IDT entry will be processed in the 
current task. 

Interrupts and trap gates have the same 
structure as the call gates discussed in section 
7.5.1. The selector and entry point for a code 
segment to handle the interrupt or exception 
is contained in the gate. See figure 9-3. 

The access byte contains the Present bit, the 
descriptor privilege level, and the type identi- 
fier. Bits 0-4 of the access byte have a value 
of 6 for interrupt gates, 7 for trap gates. Byte 
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5 of the descriptor is not used by either of 
these gates; it is used only by the call gate, 
which uses it as the parameter word-count. 

Trap and interrupt gates allow a privilege 
level transition to occur when passing control 
to a non-conforming code segment. Like a call 
gate, the DPL of the target code segment 
selected determines the new CPL. The DPL 
of the new non-conforming code segment must 
be less than or equal to CPL. 

No privilege transition occurs if the new code 
segment is conforming. If the DPL of the 
conforming code segment is greater than the 
CPL, a general protection exception will 
occur. 

As with all descriptors, these gates in the IDT 
carry a privilege level. The DPL controls 
access to interrupts with the INT n instruc- 
tion. For access, the CPL of the program must 
be less than or equal to the gate DPL. If the 
CPL is not, a general protection exception will 
result with an error code identifying the 
selected IDT gate. For exceptions and exter- 
nal interrupts, the CPL of the program is 
ignored while accessing the IDT. 



Interrupts pointing to a trap or an interrupt 
gate are handled in the same manner as an 
iAPX 86 interrupt. The flags and return 
address of the interrupted program are saved 
on the stack of the interrupt handler. To 
return to the interrupted program, the inter- 
rupt handler executes an IRET instruction. 

If a privilege transition is required for 
handling the interrupt, a new stack will be 
loaded from the TSS. The stack pointer of the 
old privilege level will also be saved on the 
new stack in the same manner as a call gate. 
Figure 9-4 shows the stack contents after an 
exception with an error code (with or without 
a privilege level change). 

If an interrupt or trap gate is used to handle 
an exception that passes an error code, the 
error code will be pushed onto the new stack 
after the return address (as shown in figure 
9-4). 

If an interrupt gate is used to handle an inter- 
rupt, it is assumed that the selected code 
segment has sufficient privilege to re-enable 
interrupts. The IRET instruction will not re- 
enable interrupts if CPL is numerically 
greater than IOPL. 
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Figure 9-4. Stack Layout for an Exception with Error Code 



Table 9-1 shows the checks performed during 
an interrupt operation that uses an interrupt 
or trap gate. EXT equals 1 when an event 
external to the program is involved, other- 
wise. External events are maskable or non- 
maskable interrupts, single step interrupt, 
processor extension segment overrun inter- 
rupt, numeric processor not-present excep- 
tion or numeric processor error. The EXT bit 
signals that the interrupt or exception is not 
related to the instruction at CS:IP. Each error 
code has bit 1 set to indicate an IDT entry is 
involved. 



When the interrupt has been serviced, the 
service routine returns control via an IRET 
instruction to the routine that was inter- 
rupted. If an error code was passed, the 
exception handler must remove the error code 
from the stack before executing IRET. 

The NT flag is cleared when an interrupt 
occurs which uses an interrupt or trap gate. 
Executing IRET with NT = causes the 
normal interrupt return function. Executing 
IRET with NT=1 causes a task switch (see 
section 8.4 for more details). 
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Table 9-1. Trap and Interrupt Gate Checks 



Check 


Exception* 


Error Code 


Interrupt vector is in IDT limit 

Trap, Interrupt, or Task Gate in IDT Entry 

If INT instruction, gate DPL > CPL 

P bit of gate is set 

Code segment selector is in descriptor table limit 

CS selector refers to a code segment 

If code segment is non-conforming, Code Segment 
DPL < CPL 

If code segment is non-conforming, and DPL < CPL and if 
SS selector in TSS is in descriptor table limit 

If code segment is non-conforming, and DPL < CPL and if 
SS is a writable data segment 


GP 
GP 
GP 
NP 
GP 
GP 
GP 

GP 

GP 


IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 

IDT entry X 8 + 2 + EXT 

IDT entry X 8 + 2 + EXT 


"* After this point the saved address will be In the interrupt handler *" 


If code segment is non-conforming, and DPL < CPL and 
code segment DPL = stack segment DPL 

If code segment is non-conforming, and DPL < CPL and if 
SS is present 

If code segment is non-conforming, and DPL < CPL and if 
there is enough space for 5 words on the stack (or 6 if error 
code is required) 

If code segment is conforming, then DPL >CPL 

If code segment is not present 

If IP is not within the limit of code segment 


GP 
SF 
SF 

GP 
NP 
GP 


Stack segment selector + EXT 
Stack segment selector + EXT 
Stack segment selector + EXT 

Code segment selector + EXT 
Code segment selector + EXT 
+ EXT 



GP = General Protection Exception 
NP = Not Present Exception 
SF = Stack Fault 



Like the RET instruction, IRET is restricted 
to return to a level of equal or lesser privilege 
unless a task switch occurs. The IRET 
instruction works like the inter-segment RET 
instruction except that the flag word is popped 
and no stack update for parameters is 
performed. See section 7.5.5 for information 
on inter-level returns. 

To distinguish an inter-level IRET, the new 
CPL (which is the RPL of the return address 



CS selector) is compared with the current 
CPL. If they are the same, the IP and flags 
are popped and execution continues. 

An inter-level return via IRET has all the 
same checks as shown in table 7-4. The only 
difference is the extra word on the stack for 
the old flag word. 

Interrupt gates are typically associated with 
high-priority hardware interrupts for 
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automatically disabling interrupts upon their 
invocation. Trap gates are typically software- 
invoked since they do not disable the maska- 
ble hardware interrupts. However, low-prior- 
ity interrupts (e.g., a timer) are often invoked 
via a trap gate to allow other devices of higher 
priority to interrupt the handler of that lower 
priority interrupt. 

Table 9-2 illustrates how the interrupt enable 
flag and interrupt type interact with the type 
of gate used. 

9.5 TASK GATES AND INTERRUPT TASKS 

The iAPX 286 allows interrupts to directly 
cause a task switch. When an interrupt vector 
selects an entry in the IDT which is a task 
gate, a task switch occurs. The format of a 
task gate is described in section 8.5. 

A task gate offers two advantages over 
interrupt gates: 

1 . It automatically saves all of the processor 
registers as part of the task-switch opera- 
tion whereas an interrupt gate saves only 
the flag register and CS:IP. 

2. The new task is completely isolated from 
the task that was interrupted. Address 
spaces are isolated and the interrupt- 
handling task is unaffected by the 
privilege level of the interrupted task. 



An interrupt task switch works like any other 
task switch once the TSS selector is fetched 
from the task gate. Like a trap or an inter- 
rupt gate, privilege and presence rules are 
applied to accessing a task gate during an 
interrupt. 

Interrupts that cause a task switch set the NT 
bit in the flags of the new task. The TSS 
selector of the interrupted task is saved in the 
back link field of the new TSS. The inter- 
rupting task executes IRET to perform a task 
switch to return to the interrupted task 
because NT was previously set. The interrupt 
task state is saved in its TSS before returning 
control to the task that was interrupted; NT 
is restored to its original value in the inter- 
rupted task. 

Since the interrupt handler state after 
executing IRET is saved, a re-entry of the 
interrupt service task will result in the execu- 
tion of the instruction that follows IRET. 
Therefore, when the next interrupt occurs, the 
machine state will be the same as that when 
the IRET instruction was executed. 

Note that an interrupt task resumes execu- 
tion each time it is re-invoked, whereas an 
interrupt procedure starts executing at the 
beginning of the procedure each time. The 
interrupted task restarts execution at the point 





Table 9-2. Interrupt and Gate Interactions 




Type of 


Type of 


Further 


Further 


Further 


Further software 


Interrupt 


Gate 


NMIs? 


INTRs? 


Exceptions? 


Interrupts? 


NMI 


Trap 


No 


Yes 


Yes 


Yes 


NMI 


Interrupt 


No 


No 


Yes 


Yes 


INTR 


Trap 


Yes 


Yes 


Yes 


Yes 


INTR 


Interrupt 


Yes 


No 


Yes 


Yes 


Software 


Trap 


Yes 


Yes 


Yes 


Yes 


Software 


Interrupt 


Yes 


No 


Yes 


Yes 


Exception 


Trap 


Yes 


Yes 


Yes 


Yes 


Exception 


Interrupt 


Yes 


No 


Yes 


Yes 
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of interruption because interrupts occur before 
the execution of an instruction. 

When an interrupt task is used, the task must 
be concerned with avoiding further interrupts 
while it is operating. A general protection 
exception will occur if a task gate referring to 
a busy TSS is used while processing an inter- 
rupt. If subsequent interrupts can occur while 
the task is executing, the IF bit in the flag 
word (saved in the TSS) must be zero. 

9.5.1 Scheduling Considerations 

A software-scheduled operating system must 
be designed to handle the fact that interrupts 
can come along in the middle of scheduled 
tasks and cause a task switch to other tasks. 
The interrupt-scheduled tasks may call the 
operating system and eventually the schedu- 
ler, which needs to recognize that the task that 
just called it is not the one the operating 
system last scheduled. 

If the Task Register (TR) does not contain 
the TSS selector of the last scheduled task, 
an interrupt initiated task switch has 
occurred. More than one task may have been 
interrupt-scheduled since the scheduler last 
ran. The scheduler must find via the backlink 
fields in each TSS all tasks that have been 
interrupted. The scheduler can clear those 
links and reset the busy bit in the TSS 
descriptors, putting them back in the sched- 
uling queue for a new analysis of execution 
priorities. Unless the interrupted tasks are 
placed back in the scheduling queue, they 
would have to await a later restart via the task 
that interrupted them. 

To locate tasks that have been interrupt- 
scheduled, the scheduler looks into the current 
task's TSS backlink (word one of the TSS), 
which points at the interrupted task. If that 
task was not the last task scheduled, then it's 
backlink field in the TSS also points to an 
interrupted task. 



The backlink field of each interrupt-scheduled 
task should be set by the scheduler to point 
to a scheduling task that will reschedule the 
highest priority task when the interrupt- 
scheduled task executes IRET. 

9.5.2 Deciding Between Task, Trap and 
Interrupt Gates 

Interrupts and exceptions can be handled with 
either a trap/interrupt gate or a task gate. 
The advantages of a task gate are all the 
registers are saved and a new set is loaded 
with full isolation between the interrupted 
task and the interrupt handler. The advan- 
tages of a task/interrupt gate are faster 
response to an interrupt for simple operations 
and easy access to pointers in the context of 
the interrupted task. All interrupt handlers 
use IRET to resume the interrupted program. 

Trap/interrupt gates require that the inter- 
rupt handler be able to execute at the same 
or greater privilege level than the interrupted 
program. If any program executing at level 
can be interrupted through a trap/task gate, 
the interrupt handler must also execute at 
level to avoid general protection exception. 
All code, data, and stack segment descriptors 
must be in the GDT to allow access from any 
task. But, placing all system interrupt 
handlers at privilege level may be in 
consistent with maintaining the integrity of 
level programs. 

Some exceptions require the use of a task 
gate. The invalid task state segment excep- 
tion (#10) can arise from errors in the origi- 
nal TSS as well as in the target TSS. 
Handling the exception within the same task 
could lead to recursive interrupts or other 
undesirable effects that are difficult to trace. 
The double fault exception (#8) should also 
use a task gate to prevent shutdown from 
another protection violation occurring during 
the servicing of the exception. 
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9.6 PROTECTION EXCEPTIONS AND 
RESERVED VECTORS 

A protection violation will cause an excep- 
tion, i.e., a non-maskable interrupt. Such a 
fault can be handled by the task that caused 
it if an interrupt or trap gate is used, or by a 
different task if a task gate is used (in the 
IDT). 

Protection exceptions can be classified into 
program errors or implicit requests for service. 
The latter include stack overflow and not- 
present faults. Examples of program errors 
include attempting to write into a read-only 
segment, or violating segment limits. 

Requests for service may use different inter- 
rupt vectors, but many diverse types of 
protection violation use the same general 
protection fault vector. Table 9-3 shows the 
reserved exceptions and interrupts. 

When simultaneous external interrupt 
requests occur, they are processed in the fixed 
order shown in table 9-4. For each interrupt 
serviced, the machine state is saved. The new 
CS:IP is loaded from the gate or TSS. If other 
interrupts remain enabled, they are processed 



before the first instruction of the current 
interrupt handler, i.e., the last interrupt 
processed is serviced first. 

All but three exceptions are restartable after 
the exceptional condition is removed. The 
three non-restartable exceptions are the 
processor extension segment overrun, a 
segment limit exception that arises during a 
string operation, and writing into read only 
segments with ADC, SBB, RCL, and RCR 
instructions. The return address normally 
points to the failing instruction, including all 
leading prefixes. 

The instruction and data addresses for the 
processor extension segment overrun are 
contained in the processor extension status 
registers. 

Interrupt handlers for most exceptions receive 
an error code that identifies the selector 
involved, or a in bits 15-3 of the error code 
field if there is no selector involved. The error 
code is pushed last, after the return address, 
on the stack that will be active when the trap 
handler begins execution. This ensures that 
the handler will not have to access another 
stack segment to find the error code. 





Table 9-3. Reserved Exceptions and Interrupts 




Vector 
Number 


Description 


Restartable 


Error Code 





Divide Error Exception 


Yes 


No 


1 


Single Step Interrupt 


Yes 


No 


2 


NMI Interrupt 


Yes 


No 


3 


Breakpoint Interrupt 


Yes 


No 


4 


INTO Detected Overflow Exception 


Yes 


No 


5 


BOUND Range Exceeded Exception 


Yes 


No 


6 


Invalid Opcode Exception 


Yes 


No 


7 


Processor Extension Not Available Exception 


Yes 


No 


8 


Double Exception Detected 


No 


Yes (Always 0) 


9 


Processor Extension Segment Overrun Interrupt 


No 


No 


10 


Invalid Task State Segment 


Yes 


Yes 


11 


Segment Not Present 


Yes 


Yes 


12 


Stack Segment Overrun or Not Present 


Yes 


Yes 


13 


General Protection 


No 


Yes 
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Table 9-4. Interrupt Processing Order 



Order 



Interrupt 



Instruction exception 

Single step 

NMI 

Processor extension segment overrun 

INTR 

INT instruction 



The following sections describe the excep- 
tions in greater detail. 

9.6.1 Invalid OP-Code (Interrupt 6) 

When an invalid opcode is detected by the 
execution unit, interrupt 6 is invoked. (It is 
not detected until an attempt is made to 
execute it, i.e., prefetching an invalid opcode 
does not cause this exception.) The saved 
CS.TP will point to the invalid opcode or any 
leading prefixes; no error code is pushed on 
the stack. The exception can be handled 
within the same task, and is restartable. 

This exception will occur for all cases of an 
invalid operand. Examples include an inter- 
segment jump referencing a register operand, 
or an LES instruction with a register source 
operand. This exception can also occur 
because redundant prefixes have been placed 
before an instruction so that the total length 
of the instruction exceeds 10 bytes. 

9.6.2 Double Fault (Interrupt 8) 

If two separate protection violations occur 
during a single instruction, exception 8 
(Double Fault) occurs (e.g., a general protec- 
tion fault in level 3 is followed by a not- 
present fault due to a segment not-present). 
If another protection violation occurs during 
the processing of exception 8, the iAPX 286 
enters shutdown, during which time no further 
instructions or exceptions are processed. 



Either NMI or RESET can force the CPU 
out of shutdown. An NMI input can bring the 
CPU out of shutdown if no errors occur while 
processing the NMI interrupt; otherwise, 
shutdown can only be exited via the RESET 
input. NMI causes the CPU to remain in 
protected mode, and RESET causes it to exit 
protected mode. Shutdown is signaled exter- 
nally via a HALT bus operation with Al 
HIGH. 

A task gate must be used for the double fault 
handler to assure a proper task state to 
respond to the exception. The back link field 
in the current TSS will identify the TSS of 
the task causing the exception. The saved 
address will point at the instruction that was 
being executed (or was ready to execute) 
when the error was detected. The error code 
will be null. 

9.6.3 Processor Extension Segment 
Overrun (Interrupt 9) 

Interrupt 9 signals that the processor exten- 
sion (such as the 80287 numerics processor) 
has overrun the limit of a segment while 
attempting to read/write the second or subse- 
quent words of an operand. The interrupt is 
generated by the processor extension data 
channel within the 80286 during the limit test 
performed on each transfer of data between 
memory and the processor extension. This 
interrupt can be handled in the same task but 
is not restartable. 

As with all external interrupts, Interrupt 9 is 
an asynchronous demand caused by the 
processor extension referencing something 
outside a segment boundary. Since Interrupt 
9 can occur any time after the processor 
extension is started, the 80286 does not save 
any information that identifies what particu- 
lar operation had been initiated in the proces- 
sor extension. The processor extension 
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maintains special registers that identify the 
last instruction it executed and the address of 
the desired operand. 

After this interrupt occurs, no WAIT or 
escape instruction, except FNINIT, can be 
executed until the interrupt condition is 
cleared or the processor extension is reset. The 
interrupt signals that the processor extension 
is requesting an invalid data transfer. The 
processor extension will always be busy when 
waiting on data. Deadlock results if the CPU 
executes an instruction that causes it to wait 
for the processor extension before resetting the 
processor extension. Deadlock means the CPU 
is waiting for the processor extension to 
become idle while the processor extension 
waits for the CPU to service its data request. 

The FNINIT instruction is guaranteed to 
reset the processor extension without causing 
deadlock. After the interrupt is cleared, this 
restriction is lifted. It is then possible to read 
the instruction and operand address via 
FSTENV or FSAVE, causing the segment 
overrun in the processor extension's special 
registers. 



9.6.4 Invalid Task State Segment 
(Interrupt 10) 

Interrupt 10 is invoked if during a task switch 
the new TSS pointed to by the task gate is 
invalid. The EXT bit indicates whether the 
exception was caused by an event outside the 
control of the program. 

A TSS is considered invalid in the cases shown 
in table 9-5. 

Once the existence of the new TSS is verified, 
the task switch is considered complete, with 
the backlink set to the old task if necessary. 
All errors are handled in the context of the 
new task. 

Exception 10 must use a task gate to insure a 
proper TSS to process it. 

9.6.5 Not Present (Interrupt 11) 

Exception 1 1 occurs when an attempt is made 
to load a not-present segment or to use a 
control descriptor that is marked not-present. 
(If, however, the missing segment is an LDT 



Table 9-5. Conditions that Invalidate the TSS 


Reason 


Error Code 


The limit in the TSS descriptor is less than 43 


TSS id + EXT 


Invalid LDT selector or LDT not present 


LDT id + EXT 


Stack segment selector is outside table limit 


SS id + EXT 


Stack segment is not a writable segment 


SS id + EXT 


Stack segment DPL does not match new CPL 


SS id + EXT 


Stack segment selector RPL # CPL 


SS id + EXT 


Code segment selector is outside table limit 


CS id + EXT 


Code segment selector does not refer to code segment 


CS id + EXT 


Non-conforming code segment DPL ^ CPL 


CS id + EXT 


Conforming code segment DPL>CPL 


CS id + EXT 


DS or ES segment selector is outside table limits 


ES/DS id + EXT 


DS or ES are not readable segments 


ES/DS id + EXT 
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that is needed in a task switch, exception 10 
occurs.) This exception is fully restartable. 

Any segment load instruction can cause this 
exception. Interrupt 1 1 is always processed in 
the context of the task in which it occurs. 

The error code has the form shown in figure 
9-5. The EXT bit will be set if an event exter- 
nal to the program caused an interrupt that 
subsequently referenced a not-present 
segment. Bit 1 will be set if the error code 
refers to an IDT entry, e.g., an INT instruc- 
tion referencing a not-present gate. The upper 
14 bits are the upper 14 bits of the segment 
selector involved. 

When a not-present exception occurs, the ES 
and DS segment registers may not be usable 
for referencing memory. During a task switch, 
the selector values are loaded before the 
descriptors are checked. The not-present 
handler should not rely on being able to use 
the values found in CS, ES, SS, and DS 
without causing another exception. 



9.6.6 Stack Fault (Interrupt 12) 

Stack underflow or overflow causes exception 
1 2, as does a not-present stack segment refer- 
enced during an inter-task or inter-level 
transition. This exception is fully restartable. 
A limit violation of the current stack results 
in an error code of 0. The EXT bit of the error 
code tells whether an interrupt external to the 
program caused the exception. 

Any instruction that loads a selector to SS 
(e.g., POP SS, task switch) can cause this 
exception. This exception must use a task gate 
if there is a possibility that any level stack 
may not be present. 

When a stack fault occurs, the ES and DS 
segment registers may not be usable for 
referencing memory. During a task switch, the 



selector values are loaded before the descrip- 
tors are checked. The stack fault handler 
should check the saved values of SS, CS, DS, 
and ES to be sure that they refer to present 
segments before restoring them. 



9.6.7 General Protection Fault 
(Interrupt 13) 

If a protection violation occurs which is not 
covered in the preceding paragraphs, it is 
classed as Interrupt 13, a general protection 
fault. The error code is zero for limit viola- 
tions, write to read-only segment violations, 
and accesses relative to DS or ES when they 
are zero or refer to a segment at a greater 
privilege level than CPL. Other access viola- 
tions (e.g., a wrong descriptor type) push a 
non-zero error code that identifies the selec- 
tor used on the stack. Error codes with bit 
cleared and bits 15-2 non-zero indicate a 
restartable condition. 

Bit 1 of the error code identifies whether the 
selector is in the IDT or LDT/GDT. If bit 
1=0 then bit 2 separates LDT from GDT. 
Bit (EXT) indicates whether the exception 
was caused by the program or an event exter- 
nal to it (i.e., single stepping, an external 
interrupt, a processor extension not-present or 
a segment overrun). If bit is set, the selec- 
tor typically has nothing to do with the 
instruction that was interrupted. The selector 
refers instead to some step of servicing an 
interrupt that failed. 

When bit of the error code is set, the 
program can be restarted, except for proces- 
sor extension segment overrun exceptions. The 
exception with the bit of the error code = 1 
indicates some interrupt has been lost due to 
a fault in the descriptor pointed to by the error 
code. 

A non-zero error code with bit cleared may 
be an operand of the interrupted instruction, 
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an operand from a gate referenced by the 
instruction, or a field from the invalid TSS. 

9.7 ADDITIONAL EXCEPTIONS AND 
INTERRUPTS 

Interrupts 0, 5, and 1 have not yet been 
discussed. Interrupt is the divide-error 
exception, Interrupt 5 the bound-range 
exceeded exceptions, and Interrupt 1 the 
single step interrupt. The divide-error or 
bound-range exceptions make it appear as if 
that instruction had never executed: the 
registers are restored and the instruction can 
be restarted. The divide-error exception occurs 
during a DIV or an IDIV instruction when 
the quotient will be too large to be represent- 
able, or when the divisor is zero. 

Interrupt 5 occurs when a value exceeds the 
limit set for it. A program can use the 
BOUND instruction to check a signed array 
index against signed limits defined in a two- 
word block of memory. The block can be 
located just before the array to simplify 
addressing. The block's first word specifies the 
array's lower limit, the second word specifies 
the array's upper limit, and a register speci- 
fies the array index to be tested. 

9.7.1 Single Step Interrupt (Interrupt 1) 

Interrupt 1 allows programs to execute one 
instruction at a time. This single-stepping is 
controlled by the TF bit in the flag word. 
Once this bit is set, an internal single step 



interrupt will occur after the next instruction 
has been executed. The interrupt saves the 
flags and return address on the stack, clears 
the TF bit, and uses an internally supplied 
vector of 1 to transfer control to the service 
routine via the IDT. 

The IRET instruction or a task switch must 
be used to set the TF bit and to transfer 
control to the next instruction to be single 
stepped. If TF=1 in a TSS and that task is 
invoked, it will execute the first instruction 
and then be interrupted. 

The single-step flag is normally not cleared 
by privilege changes inside a task. INT 
instructions also do not clear TF. System 
software should check the current execution 
privilege level after any single step interrupt 
to see whether single stepping should continue. 

The interrupt priorities in hardware guaran- 
tee that if an external interrupt occurs, single 
stepping stops. When both an external inter- 
rupt and a single step interrupt occur together, 
the single step interrupt is processed first. This 
clears the TF bit. After saving the return 
address or switching tasks, the external inter- 
rupt input is examined before the first 
instruction of the single step handler executes. 
If the external interrupt is still pending, it is 
then serviced. The external interrupt handler 
is not single-stepped. To single step an inter- 
rupt handler, just single step an interrupt 
instruction that refers to the interrupt handler. 
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SYSTEM CONTROL AND INITIALIZATION 



Special flags, registers, and instructions 
provide contol of the critical processes and 
interaction in iAPX 286 operations. The flag 
register includes 3 bits that represent the 
current I/O privilege level (IOPL: 2 bits) and 
the nested task bit (NT). Four additional 
registers support the virtual addressing and 
memory protection features, one points to the 
current Task State Segment and the other 
three point to the memory-based descriptor 
tables: GDT, LDT, and IDT. These flags and 
registers are discussed in the next section. The 
machine status word, (which indicates 
processor configuration and status) and the 
instructions that load and store it are 
discussed in section 10.2.2. 

Similar instructions pertaining to the other 
registers are the subject of sections 10.2 and 

10.3. A detailed description of initialization 
states and processes, which appears in section 

10.4, is supplemented by the extensive 
example in Appendix A. Instructions that 
validate descriptors and pointers are covered 
in section 11.3. 

10.1 SYSTEM FLAGS AND REGISTERS 

The IOPL flag (bits 12 and 13 of the flags 
word) controls access to I/O operations and 
interrupt control instructions. These two bits 
represent the maximum privilege level 
(highest numerical CPL) at which the task is 
permitted to perform I/O instructions. Alter- 
ation of the IOPL flags is restricted to 
programs at level or to a task switch. 

IRET uses the NT flag to select the proper 
return: if NT=0, the normal return within a 
task is performed. As discussed in Chapter 8, 
the nested task flag (bit 14 of flags) is set 
when a task initiates a task switch via a 



CALL or INT instruction. The old and new 
task state segments are marked busy and the 
backlink field of the new TSS is set to the old 
TSS selector. An interrupt that does not cause 
a task switch will clear NT after the old NT 
state is saved. To prevent a program from 
causing an illegal task switch by setting NT 
and then executing IRET, a zero selector 
should be placed in the backlink field of the 
TSS. An illegal task switch using IRET will 
then cause exception 13. The instructions 
POPF and IRET can also set or clear NT 
when flags are restored from the stack. POPF 
and IRET can also change the interrupt 
enable flag. If CPL < IOPL, then the Inter- 
rupt Flag (IF) can be changed by POPF and 
IRET. Otherwise, the state of the IF bit in 
the new flag word is ignored by these instruc- 
tions. Note that the CLI and STI instructions 
are valid only when CPL < IOPL. 

10.1.1 Descriptor Table Registers 

The three descriptor tables used for all 
memory accesses are based at addresses 
supplied by (stored in) three registers: the 
global descriptor table register (GDTR), the 
interrupt descriptor table register (IDTR), 
and the local descriptor table register 
(LDTR). Each register contains a 24-bit base 
field and a 16-bit limit field. The base field 
gives the real memory address of the begin- 
ning of the table; the limit field tells the 
maximum offset permitted in accessing table 
entries. See figures 10-1 thru 10-3. 

The LDT also contains a selector field that 
identifies the DT descriptor for that table. 
LDT descriptors must reside in the GDT. 

The task register (TR) points to the task state 
segment for the currently active task. It is 
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Figure 10-1. Local and Global Descriptor Table Definition 
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Figure 10-2. Interrupt Descriptor Table Definition 
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Figure 10-3. Global Descriptor Table and Interrupt 
Descriptor Data Type 

similar to a segment register, with selector, 
base, and limit fields, of which only the selec- 
tor field is readable under normal circum- 
stances. Each such selector serves as a unique 
identifier for its task. The uses of the TR are 
described in Chapter 8. 

The instructions controlling these special 
registers are described in the next section. 

10.2 SYSTEM CONTROL INSTRUCTIONS 

The instructions that load the GDTR and 
IDTR from memory can only be executed at 
privilege level 0. The store instructions for 
GDTR and IDTR may be executed at any 
privilege level. The four instructions are 
LIDT, LGDT, SIDT, and SGDT. The 
instructions move 3 words between the 
indicated descriptor table register and the 
effective real memory address supplied. The 
format of the 3 words is: a 2-byte limit, a 3- 
byte real base address, followed by an unused 
byte. These instructions are normally used 
during system initialization. 

Similarly, the LLDT instruction loads the 
LDT registers from a descriptor in the GDT. 
LLDT uses as its operand a selector to that 



descriptor. LLDT, only executable at privi- 
lege level 0, is normally required only during 
system initialization because the processor 
automatically exchanges the LDTR contents 
as part of the task-switch operation. 

Executing an LLDT instruction does not 
automatically update the TSS or the register 
caches. To properly change the LDT of the 
currently running task so that the change 
holds across task switches, you must perform, 
in order, the following three steps: 

1. Store the new LDT selector into the 
appropriate word of TSS. 

2. Load the new LDT selector into LDTR. 

3. Reload the DS and ES registers if they 
refer to LDT-based descriptors. 

Note that the current code segment and stack 
segment descriptors should reside in the GDT 
or be copied to the same location in the new 
LDT. 

SLDT (store LDT) can be executed at any 
privilege level. SLDT stores the local descrip- 
tor table selector from the LDT register. 

Task Register loading or storing is again 
similar to that of the LDT. The LTR instruc- 
tion, operating only at level 0, loads the LTR 
at initialization time with a selector for the 
initial TSS. LTR does NOT cause a task 
switch; it just changes the current TSS. Note 
that the busy bit of the old TSS descriptor is 
not changed while the busy bit of the new TSS 
selector must be zero and will be set by LTR. 
The LDT and any segment registers referring 
to the old LDT should be reloaded. STR, 
which permits the storing of TR contents into 
memory, can be executed at any privilege 
level. LTR is not usually needed after initial- 
ization because the TR is managed by the 
task-switch operation. 



10-3 



SYSTEM CONTROL AND INITIALIZATION 



10.2.2 Machine Status Word 

The Machine Status Word (MSW) indicates 
the iAPX 286 configuration and status. It is 
not part of a task's state. The MSW word is 
loaded by the LMSW instruction executed at 
privilege level only, or is stored by the 
SMSW instruction executing at any privilege 
level. MSW is a 16-bit register, the lower four 
bits of which are used. These bits have the 
meanings shown in table 10-1. 

The TS flag is set under hardware control and 
reset under software control. Once the TS flag 
is set, the next instruction using a processor 
extension causes a processor extension not- 
present exception (#7). This feature allows 
software to test whether the current proces- 
sor extension state belongs to the current task 
as discussed in section 11.4. If the current 

Table 10-1. MSW Bit Functions 



Bit 
Position 


Name 


Function 





PE 


Erotected mode finable places 
the 80286 into protected mode 
and cannot be cleared except by 
RESET. 


1 


MP 


Monitor processor extension 
allows WAIT instructions to cause 
a processor extension not- 
present exception (number 7). 


2 


EM 


Emulate processor extension 
causes a processor extension 
not-present exception (number 7) 
on ESC instructions to allow a 
processor extension to be 
emulated. 


3 


TS 


Iask switched indicates the next 
instruction using a processor 
extension will cause exception 7, 
allowing software to test whether 
the current processor extension 
context belongs to the current 
task. 



processor extension state belongs to a differ- 
ent task, the software can save the state of 
any processor extension with the state of the 
task that uses it. Thus, the TS bit protects a 
task from processor extension errors that 
result from the actions of a previous task. 

The CLTS instruction is used to reset the TS 
flag after the exception handler has set up the 
proper processor extension state. The CLTS 
instruction can be executed at privilege level 
only. 

The EM flag indicates a processor extension 
function is to be emulated by software. If 
EM = 1 and MP=0, all ESCAPE instruc- 
tions will be trapped via the processor exten- 
sion not-present exception (#7). 

MP flag tells whether a processor extension 
is present. If MP = 1 and TS=1, escape and 
wait instructions will cause exception 7. 

The PE flag indicates that the iAPX 286 is 
in the protected virtual address mode. Once 
the PE flag is set, it can be cleared only by a 
reset, which then puts the system in real 
address mode emulating the 8086. 

Table 10-2 shows the recommended usage of 
the MSW. 



10.2.3 Other Instructions 

Instructions that verify or adjust access rights, 
segment limits, or privilege levels can be used 
to avoid exceptions or faults that are correct- 
able. Section 10.3 describes such instructions. 



10.3 PRIVILEGED AND TRUSTED 
INSTRUCTIONS 

Instructions that execute only at CPL=0 are 
called "privileged." An attempt to execute the 
privileged instructions at any other privilege 
level causes a general protection exception 
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Table 10-2. Recommended MSW Encodings for Processor Extension Control 



TS 


MP 


EM 


Recommended Use 


Instructions 

Causing 

Exception 











iAPX 86 real address mode only. Initial encoding after RESET. iAPX 
286 operation is identical to iAPX 86, 88. 


None 








1 


No processor extension is available. Software will emulate its 
function. 


ESC 


1 





1 


No processor extension is available. Software will emulate its 
function. The current processor extension context may belong to 
another task. 


ESCS 





1 





A processor extension exists. 


None 


1 


1 





A processor extension exists. The current processor extension 
context may belong to another task. The exception on WAIT allows 
software to test for an error pending from a previous processor 
extension operation. 


ESC or 
WAIT 



(#13) with an error code of zero. The privi- 
leged instructions manipulate descriptor tables 
or system registers. Incorrect use of these 
instructions can produce unrecoverable 
conditions. Some of these instructions 
(LGDT, LLDT, and LTR) are discussed in 
section 10.2. 

Other privileged instructions are: 

• LIDT — Load interrupt descriptor table 
register 

• LMSW — Load machine status word 

• CLTS— Clear task switch flag 

• HALT — Halt processor execution 

"Trusted" instructions are restricted to 
execution at privilege levels that can be 
programmed. For each task, the operating 
system defines a privilege level below which 
these instructions cannot be used. Most of 
these instructions deal with input/output or 
interrupt management. The IOPL field in the 



flag word holds the privilege level limit. The 
trusted instructions are: 

• Input/Output — Block I/O, Input, and 
Output: IN, INW, OUT, OUTW, INSB, 
INSW, OUTSB, OUTSW 

• Interrupts — Enable Interrupts, Disable 
Interrupts: STI, CLI 

• Other— Lock Prefix 

Note: POPF (POP flags) or IRET can change 
the IF value only if the user is operating at a 
trusted privilege level. POPF does not change 
IOPL except at Level 0. 



10.4 INITIALIZATION 

Whenever the iAPX 286 is initialized or reset, 
certain registers are set to predefined values. 
All additional desired initialization must be 
performed by user software. (See Appendix 
A for an example of a 286 initialization 
routine.) RESET forces the iAPX 286 to 
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terminate all execution and local bus activity; 
no instruction or bus action will occur as long 
as RESET is active. Execution in real address 
mode begins after RESET becomes inactive 
and an internal processing interval (3-4 
clocks) occurs. The initial state at reset is: 

FLAGS = 0002 

MSW = FFFOH 

IP = FFFOH 

CS Selector = F000H CS.base = FF0000H CS.limit = FFFFH 

ES, CS Selector = 0000H DS.base = 000000H DS.limit = FFFFH 

IDT base = OOO00OH IDT.limit = 03FFH 

Two fixed areas of memory are reserved: the 
system initialization area and the interrupt 
table area. The system initialization area 
begins at FFFFFOH (through FFFFFFH) 
and the interrupt table area begins at 
000000H (through 0003FFH). The interrupt 
table area is not reserved. 

At this point, segment registers are valid and 
protection bits are set to 0. The iAPX 286 
begins operation in real address mode, with 
PE=0. Maskable interrupts are disabled, and 
no processor extension is assumed or emulated 
(EM=MP=0). 

DS, ES, and SS are initialized at reset to 
allow access to the first 64K of memory 
(exactly as in the 8086). The CS:IP combi- 
nation specifies a starting address of 
FFFFOH. For real address mode, the four 
most significant bits are not used, providing 
the same FFFOH address as the 8086 reset 
location. Use of (or upgrade to) the protected 
mode can be supported by a bootstrap loader 
at the high end of the address space. As 
mentioned in Chapter 5, location FFFOH 
ordinarily contains a JMP instruction whose 
target is the actual beginning of a system 
initialization or restart program. 

After RESET, CS points to the top 64K bytes 
in the 16-Mbyte physical address space. 
Reloading CS register by a control transfer 



to a different code segment in real address 
mode will put zeros in the upper 4 bits. Since 
the initial IP is FFFOH, all of the upper 64K 
bytes of address space may be used for 
initialization. 

Sections 10.4.1 and 10.4.2 describe the steps 
needed to initialize the iAPX286 in the real 
address mode and the protected mode, 
respectively. 

10.4.1 Real Address Mode 

1 . Allocate a stack. 



2. 



Load programs and data into memory 
from secondary storage. 



Initialize external devices 
Interrupt Vector Table. 



and the 



4. Set registers and MSW bits to desired 
values. 

5. Set FLAG bits to desired values — 
including the IF bit to enable inter- 
rupts — after insuring that a valid inter- 
rupt handler exists for each possible 
interrupt. 

6. Execute (usually via an inter-segment 
JMP to the main system program). 

10.4.2 Protected Mode 

The full iAPX 286 virtual address mode 
initialization procedure requires additional 
steps to operate correctly: 

1 . Load programs and associated descriptor 
tables. 

2. Load valid descriptor tables, setting the 
GDTR and IDTR to their correct value. 

3. Set the PE bit to enter protected mode. 

4. Execute an intra-segment JMP to clear 
the processor queues. 
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5. Load or construct a valid task state 
segment for the initial task to be executed 
in protected mode. 

6. Load the LDTR selector from the task's 
GDT or 0000H (null) if an LDT is not 
needed. 

7. Set the stack pointer (SS, SP) to a valid 
location in a valid stack segment. 

8. Mark all items not in memory as 
not-present. 

9. Set FLAGS and MSW bits to correct 
values for the desired system 
configuation. 

10. Initialize external devices. 

11. Ensure that a valid interrupt handler 
exists for each possible interrupt. 

1 2. Enable interrupts. 

13. Execute. 



The example in Appendix A shows the steps 
necessary to load all the required tables and 
registers that permit execution of the first task 
of a protected mode system. The program in 
Appendix A assumes that Intel development 
tools have been used to construct a prototype 
GDT, IDT, LDT, TSS, and all the data 
segments necessary to start up that first task. 
Typically, these items are stored on EPROM; 
on most systems it is necessary to copy them 
all into RAM to get going. Otherwise, the 
iAPX 286 will attempt to write into the 
EPROM to set the accessed or busy bits. 

The example in Appendix A also illustrates 
the ability to allocate unused entries in 
descriptor tables to grow the tables dynami- 
cally during execution. Using suitable naming 
conventions, the builder can allocate alias data 
segments that are larger than the prototype 
EPROM version. The code in the example 
will zero out the extra entries to permit later 
dynamic usage. 
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ADVANCED TOPICS 



This chapter describes some of the advanced 
topics as virtual memory management, 
restartable instructions, special segment 
attributes, and the validation of descriptors 
and pointers. 

11.1 VIRTUAL MEMORY MANAGEMENT 

When access to a segment is requested and 
the access byte in its descriptor indicates the 
segment is not present in real memory, the 
not-present fault occurs (exception 11 or 12 
for stacks). The handler for this fault can be 
set up to bring the absent segment into real 
memory (swapping or overwriting another 
segment if necessary), or to terminate execu- 
tion of the requesting program if this is not 
possible. 

The accessed bit (bit 0) of the access byte is 
provided in both executable and data segment 
descriptors to support segment usage profil- 
ing. Whenever the descriptor is accessed by 
the iAPX 286 hardware, the A-bit will be set 
in memory. This applies to selector test 
instruction (described below) as well as to the 
loading of a segment register. The reading of 
the access byte and the restoration of it with 
the A-bit set is an indivisible operation, i.e., 
it is performed as a read-modify-write with 
bus lock. If an operating system develops a 
profile of segment usage over time, it can 
recognize segments of low or zero access and 
choose among these candidates for 
replacement. 

When a not-present segment is brought into 
real memory, the task that requested access 
to it can continue its execution because all 
instructions that load a segment register are 
restartable. 

Not-present exceptions occur only on segment 
register load operations, gate accesses, and 



task switches. The saved instruction pointer 
refers to the first byte of the violating 
instruction. All other aspects of the saved 
machine state are exactly as they were before 
execution of the violating instruction began. 
After the fault handler clears up the fault 
condition and performs an IRET, the program 
continues to execute. The only external 
indication of a segment swap is the additional 
execution time. 

11.2 SPECIAL SEGMENT ATTRIBUTES 
11.2.1 Conforming Code Segments 

Code segments intended for use at potentially 
different privilege levels need an attribute that 
permits them to emulate the privilege level of 
the calling task. Such segments are termed 
"conforming" segments. Conforming 
segments are also useful for interrupt-driven 
error routines that need only be as privileged 
as the routine that caused the error. 

A conforming code segment has bit 2 of its 
access byte set to 1. This means it can be 
referenced by a CALL or JMP instruction in 
a task of equal or lesser privilege, i.e., CPL of 
the task is numerically greater than or equal 
to DPL of this segment. CPL does not change 
when executing the conforming code segment. 
A conforming segment continues to use the 
stack from the CPL. This is the only case in 
which the DPL of a code segment can be 
numerically less than the CPL. If bit 2 is a 0, 
the segment is not conforming and can be 
referenced only by a task of CPL = DPL. 

Inter-segment Returns that refer to conform- 
ing code segments use the RPL field of the 
code selector of the return address to deter- 
mine the new CPL. The RPL becomes the 
new CPL if the conforming code segment 
DPL<RPL. 
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If a conforming segment is readable, it can be 
read from any privilege level without restric- 
tion. This is the only exception to the protec- 
tion rules. This allows constants to be stored 
with conforming code. For example, a read- 
only look-up table can be embedded in a 
conforming code segment that can be used to 
convert system-wide logical ID's into charac- 
ter strings that represent those logical entities. 

11.2.2 Expand-Down Data Segments 

If bit 2 in the access byte of a data segment 
is 1, the segment is an expand-down segment. 
All the offsets that reference such a segment 
must be strictly greater than the segment 
limit, as opposed to normal data segments (bit 
2 = 0) where all offsets must be less than or 
equal to the segment limit. Figure 11-1 shows 
an expand-down segment. 

The size of the expand down segment can be 
changed by changing either the base or the 
limit. An expand down segment with 
Limit.=0 will have a size of 2 16 — 1 bytes.. 
With a limit value of FFFFH, the expand 
down segment will have a size of bytes. In 
an expand down segment, the base + offset 
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Figure 11-1. Expand Down Segment 



value should always be greater than the base 
+ limit value. Therefore, a full size segment 
(2 16 bytes) can only be obtained by using an 
expand up segment. 

The operating system should check the 
Expanded Down bit when a protection fault 
indicates that the limit of a data segment has 
been reached. If the Expand Down bit is not 
set, the operating system should increase the 
segment limit; if it is set, the limit should be 
lowered. This supplies more room in either 
case (assuming the segment is not write- 
protected, i.e., that bit 1 is not 0). In some 
cases, if the operating system can ascertain 
that there is not enough room to expand the 
data segment to meet the need that caused 
the fault, it can move the data segment to a 
region of memory where there is enough 
room. See figure 1 1 -2. 

1.1.3 POINTER VALIDATION 

Pointer validation is an important part of 
locating programming errors. Pointer valida- 
tion is necessary for maintaining isolation 
between the privilege levels. Pointer valida- 
tion consists of the following steps: 

1. Check if the supplier of the pointer is 
entitled to access the segment. 

2. Check if the segment type is appropriate 
to its intended use. 

3. Check if the pointer violates the segment 
limit. 

The iAPX 286 hardware automatically 
performs checks 2 and 3 during instruction 
execution, while software must assist in 
performing the first check. This point is 
discussed in section 11.3.2. Software can 
explicitly perform steps 2 and 3 to check for 
potential violations (rather than causing an 
exception). The unprivileged instructions 
LSL, LAR, VERR, and VERW are provided 
for this purpose. 
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Figure 1 1-2. Dynamic Segment Relocation and Expansion of Segment Limit 



The load access rights (LAR) instruction 
obtains the access rights byte of a descriptor 
pointed to by the selector used in the instruc- 
tion. If that selector is visible at the CPL, the 
instruction loads the access byte into the 
specified destination register as the higher 
byte (the low byte is zero) and the zero flag 
is set. Once loaded, the access bits can be 
tested. System segments such as a task state 
segment or a descriptor table cannot be read 
or modified. This instruction is used to verify 
that a pointer refers to a segment of the 
proper privilege level and type. If the RPL or 
CPL is greater than DPL, or the selector is 
outside the table limit, no access value is 
returned and the zero flag is cleared. 
Conforming code segments may be accessed 
from any RPL or CPL. 

Additional parameter checking can be 
performed via the load segment limit (LSL) 
instruction. If the descriptor denoted by the 
given selector (in memory or a register) is 
visible at the CPL, LSL loads the specified 
register with a word that consists of the limit 
field of that descriptor. This can only be done 
for segments, task state segments, and local 



descriptor tables (i.e., words from control 
descriptors are inaccessible). Interpreting the 
limit is a function of the segment type. For 
example, downward expandable data 
segments treat the limit differently than code 
segments do. 

For both LAR and LSL, the zero flag (ZF) 
is set if the loading was performed; otherwise, 
the zero flag is cleared. Both instructions are 
undefined in real address mode, causing an 
invalid opcode exception (interrupt #6). 

11 .3. 1 Descriptor Validation 

The iAPX 286 has two instructions, VERR 
and VERW, which determine whether a 
selector points to a segment that can be read 
or written at the current privilege level. 
Neither instruction causes a protection fault 
if the result is negative. 

VERR verifies a segment for reading and 
loads ZF with 1 if that segment is readable 
from the current privilege level. The valida- 
tion process checks that: 1 ) the selector points 
to a descriptor within the bounds of the GDT 
or LDT, 2) it denotes a segment descriptor 
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(as opposed to a control descriptor), and 3) 
the segment is readable and of appropriate 
privilege level. The privilege check for data 
segments and non-conforming code segments 
is that the DPL must be numerically greater 
than or equal to both the CPL and the selec- 
tor's RPL. Conforming segments are not 
checked for privilege level. 

VERW provides the same capability as 
VERR for verifying writability. Like the 
VERR instruction, VERW loads ZF if the 
result of the writability check is positive. The 
instruction checks that the descriptor is within 
bounds, is a segment descriptor, is writable, 
and that its DPL is numerically greater or 
equal to both the CPL and the selector's RPL. 
Code segments are never writable, conform- 
ing or not. 

11.3.2 Pointer Integrity: RPL and the 
"Trojan Horse Problem" 

The Requested Privilege Level (RPL) feature 
can prevent inappropriate use of pointers that 
could corrupt the operation of more privi- 
leged code or data from a less privileged level. 

A common example is a file system proce- 
dure, FREAD (file_id, nybytes, buffer-ptr). 
This hypothetical procedure reads data from 
a file into a buffer, overwriting whatever is 
there. Normally, FREAD would be available 
at the user level, supplying only pointers to 
the file system procedures and data located 
and operating at a privileged level. Normally, 
such a procedure prevents user-level proce- 
dures from directly changing the file tables. 
However, in the absence of a standard proto- 
col for checking pointer validity, a user-level 
procedure could supply a pointer into the file 
tables in place of its buffer pointer, causing 
the FREAD procedure to corrupt them 
unwittingly. 

By using the RPL, you can avoid such 
problems. The RPL field allows a privilege 



attribute to be assigned to a selector. This 
privilege attribute would normally indicate the 
privilege level of the code which generated the 
selector. The iAPX 286 hardware will 
automatically check the RPL of any selector 
loaded into a segment register or a control 
register to see if the RPL allows access. 

To guard against invalid pointers, the called 
procedure need only ensure that all selectors 
passed to it have an RPL at least as high 
(numerically) as the caller's CPL. This 
indicates that the selectors were not more 
trusted than their supplier. If one of the 
selectors is used to access a segment that the 
caller would not be able to access directly, i.e., 
the RPL is numerically greater than the DPL, 
then a protection fault will result when loaded 
into a segment or control register. 

The caller's CPL is available in the CS selec- 
tor that was pushed on the stack as the return 
address. A special instruction, ARPL, can be 
used to appropriately adjust the RPL field of 
the pointer. ARPL (Adjust RPL field of 
selector instruction) adjusts the RPL field of 
a selector to become the larger of its original 
value and the value of the RPL field in a 
specified register. The latter is normally 
loaded from the caller's CS register. If the 
adjustment changes the selector's RPL, ZF is 
set; otherwise, the zero flag is cleared. 

11.4 NPX CONTEXT SWITCHING 

The context of a processor extension (such as 
the 80287 numerics processor) is not changed 
by the task switch operation. A processor 
extension context need only be changed when 
a different task attempts to use the processor 
extension (which still contains the context of 
a previous task). The 80286 detects the first 
use of a processor extension after a task switch 
by causing the processor extension not-present 
exception (#7). The interrupt handler may 
then decide whether a context change is 
necessary. 
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The 286 services numeric errors only when it 
executes wait or escape instructions because 
the processor extension is running independ- 
ently. The numerics error from one task may 
be recorded when the 286 is running a differ- 
ent task. If the 286 task has changed, it makes 
sense to defer handling that error until the 
original task is restored. For example, inter- 
rupt handlers that use the NPX should not 
have their timing upset by a numeric error 
interrupt that pertains to some earlier process. 
It is of little value to service someone else's 
error. 

If the task switch bit is set (bit 3 of MSW) 
when the CPU begins to execute a wait or 
escape instruction, the processor-extension 
not-present exception results (#7). The 
handler for this interrupt must know who 
currently "owns" the NPX, i.e., the handler 
must know the last task to issue a command 
to the NPX. If the owner is the same as the 
current task, then it was merely interrupted 
and the interrupt handler has since returned; 
the handler for interrupt 7 simply clears the 
TS bit, restores the working registers, and 
returns (restoring interrupts if enabled). 

If the recorded owner is different from the 
current task, the handler must first save the 
existing NPX context in the save area of the 
old task. It can then re-establish the correct 
NPX context from the current task's save 
area. 



followed in some cases by the kernel stack and 
kernel private data areas. 

The implied convention is that the stack 
segment selector points to this data segment 
alias so that whenever there is an interrupt at 
level zero and SS is automatically loaded, all 
of the above information is immediately 
addressable. 

It is assumed that the program example knows 
about only one data segment that points to a 
global data area in which it can find the one 
word NPX owner to begin the processing 
described. The specific operations needed, and 
shown in the figure, are listed in table 11-1. 



11.5 MULTIPROCESSOR 
CONSIDERATIONS 

As mentioned in Chapter 8, a bus lock is 
applied during the testing and setting of the 
task busy bit to ensure that two processors do 
not invoke the same task at the same time. 
However, protection traps and conflicting use 
of dynamically varying segments or descrip- 
tors must be addressed by an inter-processor 
synchronization protocol. The protocol can use 
the indivisible semaphore operation of the 
base instruction set. Coordination of inter- 
rupt and trap vectoring must also be 
addressed when multiple concurrent proces- 
sors are operating. 



The code example in figure 11-3 relies on the 
convention that each TSS entry in the GDT 
is followed by an alias entry for a data 
segment that points to the same physical 
region of memory that contains the TSS. The 
alias segment also contains an area for saving 
the NPX context, the kernel stack, and certain 
kernel data. That is, the first 44 bytes in that 
segment are the 286 context, followed by 94 
bytes for the processor extension context, 



The interrupt bus cycles are locked so no 
interleaving occurs on those cycles. Descrip- 
tor caching is locked so that a descriptor 
reference cannot be altered while it is being 
fetched. 

When a program changes a descriptor that is 
shared with other processors, it should broad- 
cast this fact to the other processors. This 
broadcasting can be done with an inter- 
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processor interrupt. The handler for this 
interrupt must ensure that the segment regis- 
ters, the LDTR and the TR, are re-loaded. 
This happens automatically if the interrupt is 
serviced by a task switch. 

Modification of descriptors of shared 
segments in multi-processor systems may 
require that the on-chip descriptors also be 
updated. For example, one processor may 
attempt to mark the descriptor of a shared 



segment as not-present while another is using 
it. Software has to ensure that the descriptors 
in the segment register caches are updated 
with the new information. The segment regis- 
ter caches can be updated by a re-entrant 
procedure that is invoked by an inter- 
processor interrupt. The handler must ensure 
that the segment registers, the LDTR and the 
TR, are re-loaded. This happens automati- 
cally if the interrupt is serviced by a task 
switch. 



ASSEMBLER INVOKED 
LOC OBJ 



oooo 

0000 so 

0001 1E 

0002 BB 

000S 8ED8 

0007 OF00C8 

A 24FC 

O00C F 06 

O00E FA 



0O0F 3B060000 

0013 7412 

0015 87060000 

0019 0S080O 

001C BEDS 

001E DD362C00 

0022 36DD262C00 
0027 

0027 IF 

0028 58 

0029 CF 



ASM286,86 : F 5 : S U N P X . A 86 

LINE SOURCE 

1 »1 It 1 1 1 e( % Swl ten the NPX Context on First Use After a Tut Switch') 

2 

3 name s w 1 t ch_npx_con t e x t 

4 

5 public swl tch_NPX_contex t 

6 extrn 1 a s t_np l_t a 9 k ; wo r d 

This interrupt handler will switch the NPX context If a new task 
Is attempting to use the NPX. context of another task after a t a s k 
switch. If the NPX context belongs to the current task, nothing happens. 

A trap gate should be placed in IDT entry 7 referring to this routine. 
The DPL of the gate should be to prevent spoofing. The code segment 
must be at pr 1 vl lege level . 

The kernel stack Is assumed to overlay the TSS and the NPX save area 
Is placed at the end of the TSS area. 

A global word variable L A ST_NP X_T ASK Identifies the TSS selector of 
the last task to use the NPX. 



npx_s ave_a r ea 




equ wor 


ptr 


44 ; Offset of 


NPX save area In 


TSS 


$e)ect 
kerne l_c ode 




segment 


"■ 


ubli 








s wl t ch_npx_con 
push 


text 
ax 


p r o c 


far 


wc(0 


Save working r egl 


t er s 




mo v 


ax , s e 


las t_npx_ 


tas 


■ 


Get address of Id 


of last NPX task 




mo v 

str 

and 

cits 

ell 


d s , ax 

ax 

al.no 


3 






Get id of this ta 
Remove RPL field 
Clear task switch 
No Interrupts all 


k 

d flag 
wed! 




; Last_n 
emp 


px_»ord 

ax , ds 

same_ 


cannot cha 

1 as t_n p x_t 
ask 


nge 
ask 


due 


o other interrupts 
See If same task 


after this point 




x chg 
add 
mo v 
f s a ve 
f rstor 


ax , d s 

ax, 8 
ds , a x 
ds : np 
ss:np 


1 a s t_npx_t 

<_sa ve_a r ea 
x_save_ar ea 


ask 




Set new task Id a 
Go to TSS alias 
Address TSS of pr 
Save old NPX stat 
Get current NPX s 


nd get old one 

evlous NPX task 

e 

tate 




same_task : 
pop 
pop 


ds 
ax 








Return to interru 


pted program 




s w 1 t c h_npx_con 


text 


endp 













WARNING '160 , 



5 4 kernel-code ends 

LINE '54, SEGMENT CONTAINS PRIVILEGED INSTRUCTIONS 
SS end 



Figure 11-3. Example of NPX Context Switching 
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ADVANCED TOPICS 



Table 1 1-1. NPX Context Switching 



Step 


Operation 


Lines 


1. 


Save the working registers 


28,29 


2. 


Set up address for kernel work area 


30,31 


3. 


Get current task ID from Task Register 


32 


4. 


Clear Task Switch flag to allow NPX work 


34 


5. 


Inhibit interrupts 


35 


6. 


Compare owner with current task ID 


37 


If same owner: 






7a. 


Restore working registers 


48,49 


7b. 


and return 


50 


If owner is not 






current task: 






8a. 


Use owner ID to save old context in its TSS 


42, 43, 44 


8b. 


Restore context of current task; 


45 




restore working registers; 


46 




and return 


52 
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System Initialization A-1 



APPENDIX A 
iAPX 286 SYSTEM INITIALIZATION 



ItltleC Switch the 80286 from Real Address Mode to Protected Mode') 
name switch 8 286_modes 
public t d t_d e s c , g d t_d e s e 

Switch the 80286 from real address mode Into protected mode. 
The Initial EPROM GDT, IDT, TSS, and LDT (If any) constructed by BLD286 
will be copied from EPROM Into RAM. The RAM areas are defined by data 
segments allocated as fixed entries In the GDT. The CPU registers for 
the GDT, IDT, TSS, and LDT will be set to point at the RAM-based 
segments. The base fields in the RAM-based GDT will also be updated to 
point at the RAM-based segments. 

This code is used by adding it to the list of object modules given 
to BLD286. BLD286 must then be told to place the segment 
lnlt_code at address FFFE10H. Execution of the mode switch code begins 
after RESET. This happens because the mode switch code will start at 
physical address FFFFFOH, which is the power up address. This code then 
sets up RAM copies of the EPROM-based segments before jumping to the 
initial task placed at a fixed GDT entry. After the jump, the CPU 
executes in the state of the first task defined by BLD286. 

This code will not use any of the EPkOM-based tables directly. 
Such use would result In the 80286 writing into EPROM to set 
the A bit. Any use of a GDT or TSS will always be in the RAM copy. 
The limit and size of the EPROM-based GDT and IDT must be stored at 
the public symbols ldt_desc and gdt_desc. The location commands of BLD286 
provide this function 

Interrupts are disabled during this mode switching code. Full error 
checking is made of the EPROM-based GDT, IDT, TSS, and LDT to assure 
they are valid before copying them to RAM. If any of the RAM-based 
alias segments are smaller than the EPROM segments they are to hold, 
halt or shutdown will occur. In general, any exception or NMI will 
cause shutdown to occur until the first task is invoked. 

If the RAM segment is larger than the EPROM segment, the RAM segment 
will be expanded with zeros. If the Initial TSS specifies an LDT, 
the LDT will also be copied into 1 d t_a 1 1 a s with zero fill If needed. 
The EPROM-based or RAM-based GDT, IDT, TSS, and LDT segments may be located 
anywhere In physical memory. 
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Form an adjustment factor from the real CS base of FFOOOOH to the 
segment base address assumed by ASM286. Any data reference made 
into CS must add an Indexing term [BPJ to compensate for the difference 
between the offset generated by ASM286 and the offset required from 
the base of FFOOOOH . 



start 



star t 1 



p r o c 
call 



pop 
sub 



lldt 



start 1 



b P 



bp, offset s t a r t 1 
1 nl t lal_gdt [ bp ] 



The value of IP at run time will not be 

the same as the one used by ASM286! 
Get true offset of start! 



Subtract A S M 2 8 6 offset of startl 
leaving adjustment factor in BP 

Setup null IDT to force shutdown 
on any protection error or, interrupt 



Copy the EPROM-based temporary GDT into RAM. 

lea s i , 1 n 1 t 1 a l_gd t [ bp 1 ; Setup pointer to temporary GDT 

; template In EPROM 

mov c x , ( end_gd t - 1 n i t i a 1 g d t ) / 2 ; Set length 

mo v s e s : w o r d ptr [dl],cs:[sll; Put Into reserved RAM area 

Look for 80287 processor extension. Assume all ones will be read 
if an 80287 is not present. 

Initialize 80287 If present 

Assume no 80287 

Look at status of 80287 

No errors should be present 

Jump if no 80287 

Put 80287 into protected mode 
iy bx ,MP 

Switch to protected mode and setup a stack, GDT, and LDT. 



f n 1 n i t 




mov 


bx ,EM 


f 5 t 3 w 


a x 


o r 


,a 1 , a 1 


jnz 


s e t_mod e 


f s e t pm 





a e t_mode 



lms w 
jmp 



ax 

ax ,PE 
ax , b x 
ax 

«*2 



Get current MSW 

Set PE bi t 

Set NPX status flags 

Enter protected mode! 

Clear queue of Instructions decoded 

while in Real Address Mode 
CPL is now 0, CS still points at 
FFFE10 in physical memory 
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Define the template for a temporary GDT used to locate the Initial 
GDT and stack. This data will be copied to location 0. 
This space Is also used for a temporary stack and finally serves 
as the TSS written Into when entering the Initial TSS. 



1 n 1 t 1 al_gd t 
g d t_d esc 
i d t_dese 
t em p_d esc 



org 

d e s c 
d e s c 
de s c 
d e s c 



< > 

< > 

< > 

< > 



; Place remaining code below power_up 

Filler and null IDT descriptor 
Descriptor for EPROM GDT 
Descriptor for EPROM I DT 
Temporary descriptor 



Define a descriptor that will point the GDT at location 0. 
This descriptor will also be loaded Into SS to define the Initial 
protected mode stack segment. 



t emp_s tack 



d e s c 



<end_gdt -Initio l_g d t - 1 , , ,DS_ACCESS , 0> 



Define the TSS descriptor used to allow the task switch to the 
first task to overwrite this region of memory. The TSS will overlay 
the initial GDT and stack at location 0. 

save_tss desc < e n d_g d t - 1 n 1 t 1 a l_g d t - 1 , , , T S S_A C C E S S , > 

Define the initial stack space and filler for the end of the TSS. 



e n d_g d t 



dw 8 dup ( ) 
label word 



s t a r t_p o 1 n t e r label dword 

dw 0,start_task ; Pointer to Initial task 

Define template for the task definition list. 



t a s k_e n t r y 

TSS_sel 
TSS_a lias 
LDT_a lias 
t a s k_e n t r y 

task_l Is t 



r e s e t_s t a r t u p : 
cl 1 
cl d 
x o r 
m o v 
m o v 
mo v 
m o v 



s t r u c 

dw ? 

dw ? 

dw ? 
ends 

t a s k_e n t r y ■ 

dw 



di ,dl 
ds.di 
e 3 , d i 
s s , d i 
sp,end_gdt-inltlal_gdt 



Define layout of task description 

Selector for TSS 

Data segment alias for TSS 

Data segment alias for LDT If any 



<start_task,star t_TSS_a 1 i a s , s t ar t_LDT_a lias* 
; Terminate list 



No interrupts allowed! 
Use a u t o 1 n c r em e n t mode 
Point ES:DI at physical address O0000OH 



Set stack at end of reserved area 
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Define layout of a descriptor 



d e s c 

limit 

b a 3 e_l o w 

ba s e_h i g h 

access 

res 

d e s c 



s t r u c 
d w 
d w 
db 
db 
d w 
ends 



Offset of last byte in segment 
Low 16 bits of 24-bit address 
High 8 bits of 24-bit address 
Access rights byte 
Reserved word 



Define the fixed 6DT selector values for the descriptors that 
define the EPROM-based tables. BLD286 must be instructed to place the 
appropriate descriptors into the GDT. 



gd t_a lias equ 

1 d t_a lias equ 

star t_TSS_a lias equ 

s t a r t_t a s k equ 

s t a r t_L DT_a 1 1 a s equ 



1 * s 1 z e desc 

2 * s 1 z e desc 

3 * s 1 z e desc 

4 • s 1 z e desc 

5 * size desc 



GDT(1) is data segment in RAM for 

GDT(2) is data segment in RAH for 

GDT(3) is data segment in RAM for 

GDT(4) is TSS for starting task 

GDT(5) is data segment in RAM for 



GDT 
IDT 
TSS 

LDT 



Define machine status word bit positions 



PE 
MP 
EM 



equ 
equ 
equ 



Protection enable 

Monitor processor extension 

Emulate processor extension 



Define particular values of descriptor access rights byte 



level 0, wrlteable 

an idle TSS 

of access rights 



Access byte value for an LDT 
Access byte value for data segment 

which is grow up, at 
Access byte value for 
Privilege level field 
Define accessed bit 
Position of TI bit 
Size of a TSS 
Position of LDT in TSS 
Tl and RPL field mask 



Pass control from the power-up address to the mode switch code. 
The segment containing this code must be at physical address FFFE10H 
to place the JMP instruction at physical address FFFFFOH. The base 
address is chosen according to the size of this segment. 



DT_ACCESS 


equ 


82H 


DS_ACCESS 


equ 


92H 


TSS_ACCESS 


equ 


81H 


DPL 


equ 


6 H 


ACCESSED 


equ 


1 


Tl 


equ 


4 


T S S_S I ZE 


equ 


44 


LDT_0FFSET 


equ 


42 


T I RP 1 MASK 


equ 


size desc-1 



1 n 1 t_c ode 



c s_o f f s e t 



segmenter 

equ 0FE10H 

org 0FFF0H-es_of f set 

] mp r e s e t_s t a r t u p 



Low 16 bits of starting address 
Start at address FFFFFOH 
Do not change CS! 
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start endp 

Copy the TSS and LDT for the task pointed at by CS 

If the t a a k has an LDT It will also be copied down. 

B X and B P are transparent. 



BX 



bad_t s s : 

hi t 
cop y_t asks 

m o v 
m o v 
m o v 
m o v 
1 si 
m o v 
lar 
jnz 

m o v 
and 
cnp 
jnz 

lsl 
c m p 



p r o c 

s 1 , gd t_a lias 
ds , s 1 

3l,cs:tbx].ts s_a lias 
es , s 1 
a x , s 1 

sl,cs:[bxl.ts s_s e 1 
dx , s 1 
bad_t s s 

dl ,dh 

dh , not DPL 

dh,TSS_ACCESS 

ba d_t s s 

c x , s 1 

ex , TSS_SIZE- 1 

ba d_t s s 



Halt here if TSS is 1 nval i d 



Get addressabl 1 1 ty to CDT 

Get selector for TSS alias 

Point ES at alias data segment 

Get length of TSS alias 

Get TSS selector 

Get alias access rights 

Jump If invalid reference 

Save TSS descriptor access byte 
Ignore privilege 
See if TSS 

Jump If not 

Get length of EPROM based TSS 
Verify it is of proper size 
Jump if it is not big enough 



Setup for moving the EPROM-based TSS to RAM 
DS points at GDT 



mov I s 1 ] . acces s , DS_ACCESS 

m o v d s i s i 

call c opy_w 1 t h_f 1 1 1 



Make TSS into data segment 
PolntDSatEPROMTSS 

Copy DS segment to ES with zero fill 
CX has copy count, AX-CX fill count 



Set the GDT TSS limit and base address to the RAM values 



mov 
mov 
mov 
mov 
mov 
m o v s w 
m o v s w 
1 o d a w 
mov 
s t o s w 
m o v s w 



a x , gd t_a lias 
d s , ax 
e s , ax 
di.es 
a 1 , c s 



ah , dl 



tbx] 
[bxl 



t ss_sel 
t s s_a lias 



Restore GDT addressing 



Get TSS selector 

Get RAM alias selector 

Copy 1 1 m 1 t 

Copy low 16 bits of address 

Get high 8 bits of address 

Mark as TSS descriptor 

Fill in high address and access bytes 

Copy reserved word 
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lgdt 

mov 
mov 
x o r 
1 ldt 

mov 
1 tr 



t emp_s t ac k [ bp ] ; Use Initial GDT In RAM area 

ax , t emp_a t ac k - 1 n i t i a 1 g d t ; Setup SS with valid protected mode 



a a , ax 

ax , ax 
ax 



ax,save_taa-inltlal_gdt 



aelector to the RAM GDT and atack 
Set the current LDT to null 
Any reference: to It will cause 

an exception causing shutdown 
Set Initial TSS Into the low RAM 
The teak awltch needs a valid TSS 



Copy the EPROM-based GDT into the RAM data segment alias. 
First the descriptor for the RAM data segment must be copied int 
the temporary GDT. 



m o v 
c m p 

]° 

m o v 
m o v 
cal 1 
m o v 
m o v 
cal 1 
m o v 
m o v 
m o v 

lgdt 



ax , gd t_d esetbp]. limit 
ax, 6* size desc-1 

bad_gd t 



Get size of GDT 

Be sure the last entry expected by 

this code is inside the GDT 
Jump if GDT Is not big enough 



Form selector to EPRDM GDT 
Get selector of GDT alias 
Copy into EPROM 
Get selector of IDT alias 
Indicate EPROM IDT 



bx,gdt_desc-inltlal_gdt 

s i , g d t_a lias 

copy_EPROM_dt 

s 1 , i d t_a lias 

b x , 1 d t_d e s c - 1 n 1 t 1 a l_g d t 

copy_EPROM_dt 

ax , gd t_de s c - 1 n i 1 1 a l_gd t ; Setup addressing Into EPROM GDT 

d s , a x 



bx , g d t_a lias 
Cbx] 



Get GDT alias data segment selector 

Set GDT to RAM GDT 

SS and TR remain in low RAM 



Copy all task's TSS and LDT segments into RAM 

; Define list of tasks to setup 



lea bx , task.l Is t [bp] 
c opy_t a s k_l o op : 

call cop y_ tasks 

add bx,slze task_entry 

mov a x , c s : t bx ] . t s s_s e 1 

or a x , ax 

Jnz c o p y_t a s k_l o o p 



Copy them into RAM 

Go to next entry 

See If- there is another entry 





mov 




mov 




mov 




lidt 




)mp 


ba d_gd t 





With TSS, GDT, and LDT set, startup the Initial task! 

; Point D S at GDT 



bx , g d t_a lias 

ds ,bx 

bx , id t_a lias 

[bx J 

star t_po i n t e r [ b p 1 



hit 



Get IDT alias data segment selector 
Set IDT for errors and interrupts 
Start the first task ! 

The low RAM area is overwritten with 
the current CPU context 

Halt here if GDT is not big enough 
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Test the descriptor table size In AX 
even number of descriptors In length. 



tes t_dt_l 1ml t 



p r o c 



push 


a x 


and 


al ,7 


c mp 


al ,7 


pop 


a x 


]ne 


bad_d t_l lmi t 


ret 




bad_dt_l lmi t : 




hi t 





to verify that it Is 



Save length 

Look at low order bits 
Must be all ones 
Restore length 



All OK 
Die! 



tes t_dt_l lmi t 



e n dp 



Copy the EPROM DT at selector BX In the temporary GDT to the alias 
data segment at selector SI. Any Improper descriptors or limits 
will cause shutdown! 



c o p y E P R M_d t proc 



m o v 
m o v 
m o v 
m o v 
lsl 
m o v 
cal 1 
m o v 
mo v 
m o v 
push 
1 o d s w 
cal 1 

S t s w 

m o v s w 

m o v s w 
m o v s w 
pop 
mo v 



access, DS_ACCESS 
r es , 



ax , s s 
e s , a x 

e s : I b x ] 

es : Cbxl 

a x , b x 

c x , a x 

tes t_dt_l 1ml t 

d 1 , gd t_desc - 1 ni t 1 a 1 g d t 

ds , dl 

dl,temp_desc-lnitlal_gdt 

dl 

tes t_dt_l lmi t 



es 

ds ,bx 



Point ES : Dl at 



temporary descriptor 
data segment 



Mark descriptor as 

Clear reserved word 

Get limit of EPROM DT 

Save for later 

Verify it is a proper limit 

Address EPROM GDT i n DS 

Get selector for temporary descriptor 
Save offset for later use as selector 
Get alias segment size 
Verify it is an even multiple of 

descriptors in length 
Put length into temporary 
Copy remaining entries into temporary 



ES now points at the GDT alias area 
DS now points at EPROM DT as data 
Copy segment to alias with zero fill 
CX is copy count, AX-CX is fill count 
Fall into copy_wi th_f i 1 1 



copy_EPROM_d t endp 
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no_l d t : 
b a d_l d t 



See 

If 50 

mo v 
m o v 
and 
1' 

push 
lar 

]nz 

m o v 
and 
c m p 
]ne 

m o v 
m o v 
lsl 
cal 1 

m o v 



if a valid LDT is specified for the startup task 
then copy the EPRDM version into the RAM alias. 



ds , C3 : Ibx ] , ts s_a lias ; 
si,ds:word ptr LDT_OFFSET 
s 1 , no t TI RPL_MASK ; 
no_ldt - .; 

si 

dx , s 1 

bad_ldt 

dl , dh 

dh , not DPL 

dh, DT_ACCESS 

bad_ldt 

es:tsl]. access, DS_ACCESS 

ds , s 1 

a x , s 1 

tes t_dt_l imi t 

c x , a x 



Address TSS to get LDT 

Ignore TI and RPL 

Skip this if no LDT used 

Save LDT selector 

Test descriptor 

Jump if Invalid selector 

Save LDT descriptor access byte 
Ignore privilege 

Ee sure it is an LDT descriptor 
Jump if Invalid 

Mark LDT as data segment 
Point DS at EPROM LDT 
Get LDT limit 
Verify It is valid 
Save for later 



Examine the LDT alias segment and, if good, copy to RAM 



mov s 1 , c s : t bx 1 . 1 d t_a 1 i a s 

m o v e s , s 1 

lsl ax , s 1 

call tes t_d t_l 1 m 1 t 

call c o py_w i t h_f 1 1 1 



Get ldt alias selector 

Point ES at alias segment 

Get length of alias segment 

Verify it is valid 

Copy LDT into RAM alias segment 



Set the LDT limit and base address to the RAM copy of the LDT 



mov 
pop 
mov 
mov 
mov 
m o v s w 
m o v s w 
1 o d s w 
mov 
s t o s w 
m o v s w 



ret 
hi t 
copy_tasks 



si,cs:tbx).ld t_a lias 

dl 

a x , g d t_a lias 

d s , a x 

e s , a x 



ah , dl 



Restore LDT alias selector 
Restore LDT selector 
Restore GDT addressing 

Move the RAM LDT limit 

Move the low 16 bits across 

Get the high 8 bits 

Mark as LDT descriptor 

Set high address and access rights 

Copy reserved word 

All done 

Halt here if LDT i s 1 nva 1 i d 



e ndp 
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Copy the segment at DS to the segment at ES for length CX. 
Fill the end with AX-CX zeros. Use word operations for speed but 
allow odd byte operations. 



c opy_w 1 t h_f i 1 1 proe 



x o r 


si , s 1 


x o r 


d 1 , d 1 


sub 


a x , c x 


add 


ex , 1 


rcr 


ex, 1 


rep movsw 




xehg 


a x , c x 


J n c 


eve n_c opy 


m o v s b 




o r 


c X , C X 


J* 


e x 1 t_c opy 


s t o s b 




dec 


C X 


eve n_c o py : 




s h r 


CX , 1 


rep stosw 




] n c 


e x i t_c opy 


3 t o s b 




ex 1 t_c o py : 




ret 





Start at beginning of segments 

Form fill count 

Convert limit to count 

Allow full 64K move 

Copy DT into alias area 

Get fill count and zero AX 

Jump if even byte count on copy 

Copy odd byte 

Exit if no fill 

Even out the segment offset 
Adjust remaining fill count 

Form word count on fill 
Clear unused words at end 
Exit if no odd byte remains 

Clear last odd byte 



c opy_w 1 t h_f i 1 1 endp 



1 n 1 t_c ode 



ends 
end 
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APPENDIX B 
THE iAPX 286 INSTRUCTION SET 



This section presents the iAPX 286 instruc- 
tion set using Intel's ASM286 notation. All 
possible operand types are shown. Instruc- 
tions are organized alphabetically according 
to generic operations. Within each operation, 
many different instructions are possible 
depending on the operand. The pages are 
presented in a standardized format, the 
elements of which are described in the 
following paragraphs. 

Opcode 

This column gives the complete object code 
produced for each form of the instruction. 
Where possible, the codes are given as 
hexadecimal bytes, presented in the order in 
which they will appear in memory. Several 
shorthand conventions are used for the parts 
of instructions which specify operands. These 
conventions are as follows: 

/n: (n is a digit from through 7) A ModRM 
byte, plus a possible immediate and displace- 
ment field follow the opcode. See figure B-l 
for the encoding of the fields. The digit n is 
the value of the REG field of the ModRM 
byte. To obtain the possible hexadecimal 
values for /n, refer to column n of table B-l. 
Each row gives a possible value for the effec- 
tive address operand to the instruction. The 
entry at the end of the row indicates whether 
the effective address operand is a register or 
memory; if memory, the entry indicates what 
kind of indexing and/or displacement is used. 
Entries with D8 or D16 signify that a one- 
byte or two-byte displacement quantity 
immediately follows the ModRM and optional 
immediate field bytes. The signed displace- 
ment is added to the effective address offset. 

/r; A ModRM byte that contains both a 
register operand and an effective address 



operand, followed by a possible immediate 
and displacement field. See figure B-2 for the 
encoding of the fields. The ModRM byte 
could be any value appearing in table B-l. 
The column determines which register 
operand was selected; the row determines the 
form of effective address. If the row entry 
mentions D8 or D16, then a one-byte or two- 
byte displacement follows, as described in the 
previous paragraph. 

cb: A one-byte signed displacement in the 
range of —128 to +127 follows the opcode. 
The displacement is sign-extended to 1 6 bits, 
and added modulo 65536 to the offset of the 
instruction FOLLOWING this instruction to 
obtain the new IP value. 

cw: A two-byte displacement is added modulo 
65536 to the offset of the instruction 
FOLLOWING this instruction to obtain the 
new IP value. 

cd: A two- word pointer which will be the new 
CS:IP value. The offset is given first, followed 
by the selector. 

db: An immediate byte operand to the 
instruction which follows the opcode and 
ModRM bytes. The opcode determines if it is 
a signed value. 

dw: An immediate word operand to the 
instruction which follows the opcode and 
ModRM bytes. All words are given in the 
iAPX 286 with the low-order byte first. 

+rb: A register code from through 7 which 
is added to the hexadecimal byte given at the 
left of the plus sign to form a single opcode 
byte. The codes are: AL=0, CL=1, DL=2, 
BL=3, AH=4, CH=5, DH=6, and BH = 7. 
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/n Instruction Byte Format 



mod 


n 


r/m 


imm. low (1) 


imm. high (1 > 


disp-low 


disp-high 



6 5 



3 2 1 7 



7 



7 



7 



mod" Field Bit Assignments 



mod 


Displacement 


00 
01 
10 
11 


DISP = (2) , disp-low and disp-high are absent 

DISP = disp-low sign-extended to 16-bits, disp-high is absent 

DISP = disp-high: disp-low 

r/m is treated as a "reg" field 



'r/m" Field Bit Assignments 



r/m 


Operand Address 


000 


(BX) + (SI) + DISP 


001 


(BX) + (Dl) + DISP 


010 


(BP) + (SI) + DISP 


011 


(BP) + (Dl) + DISP 


100 


(SI) + DISP 


101 


(Dl) + DISP 


110 


(BP) + DISP( 2 ) 


111 


(BX) + DISP 



DISP follows 2nd byte of instruction (before data if required). 

NOTES: 

1 . Opcode indicates presence and size of immediate value. 

2. Except if mod =00 and r/m=110 then EA= disp-high: disp-low. 



Figure B-1. /n Instruction Byte Format 
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Table B-1. ModRM Values 



Rb 


AL 


CL 


DL 


BL 


AH 


CH 


DH 


BH 




Rw = 


AX 


CX 


DX 


BX 


SP 


BP 


SI 


Dl 




REG 





1 


2 


3 


4 


5 


6 


7 




ModRM values: 


















Effective address: 




00 


08 


10 


18 


20 


28 


30 


38 


[BX + SI] 




01 


09 


11 


19 


21 


29 


31 


39 


[BX + Dl] 




02 


0A 


12 


1A 


22 


2A 


32 


3A 


[BP + SI] 




03 


0B 


13 


1B 


23 


2B 


33 


3B 


[BP + Dl] 




04 


OC 


14 


1C 


24 


2C 


34 


3C 


[SI] 




05 


OD 


15 


1D 


25 


2D 


35 


3D 


[Dl] 




06 


OE 


16 


1E 


26 


2E 


36 


3E 


D1 6 (simple var) 




07 


OF 


17 


1F 


27 


2F 


37 


3F 


[BX] 




40 


48 


50 


58 


60 


68 


70 


78 


[BX + SI] + D8< 1 > 




41 


49 


51 


59 


61 


69 


71 


79 


[BX + Dl] + D8 




42 


4A 


52 


5A 


62 


6A 


72 


7A 


[BP + SI] + D8 




43 


4B 


53 


5B 


63 


6B 


73 


7B 


[BP + Dl] + D8 




44 


4C 


54 


5C 


64 


6C 


74 


7C 


[SI] + D8 




45 


4D 


55 


5D 


65 


6D 


75 


7D 


[Dl] + D8 




46 


4E 


56 


5E 


66 


6E 


76 


7E 


[BP] + D8< 2 > 




47 


4F 


57 


5F 


67 


6F 


77 


7F 


[BX] + D8 




80 


88 


90 


98 


AO 


A8 


BO 


B8 


[BX + SI] + D16< 3 ) 




81 


89 


91 


99 


A1 


A9 


B1 


B9 


[BX + Dl] + D16 




82 


8A 


92 


9A 


A2 


AA 


B2 


BA 


[BP + SI] + D16 




83 


8B 


93 


9B 


A3 


AB 


B3 


BB 


[BP + Dl] + D16 




84 


8C 


94 


9C 


A4 


AC 


B4 


BC 


[SI] + D16 




85 


8D 


95 


9D 


A5 


AD 


B5 


BD 


[Dl] + D16 




86 


8E 


96 


9E 


A6 


AE 


B6 


BE 


[BP] + D16< 2 > 




87 


8F 


97 


9F 


A7 


AF 


B7 


BF 


[BX] + D16 




CO 


C8 


DO 


D8 


EO 


E8 


FO 


F8 


Ew=AX Eb=AL 




C1 


C9 


D1 


D9 


E1 


E9 


F1 


F9 


EW=CX Eb=CL 




C2 


CA 


D2 


DA 


E2 


EA 


F2 


FA 


Ew=DX Eb=DL 




C3 


CB 


D3 


DB 


E3 


EB 


F3 


FB 


Ew=BX Eb=BL 




C4 


CC 


D4 


DC 


E4 


EC 


F4 


FC 


Ew=SP Eb=AH 




C5 


CD 


D5 


DD 


E5 


ED 


F5 


FD 


Ew=BP Eb=CH 




C6 


CE 


D6 


DE 


E6 


EE 


F6 


FE 


Ew=SI Eb=DH 




C7 


CF 


D7 


DF 


E7 


EF 


F7 


FF 


Ew=DI Eb=BH 



NOTES: 

1. D8 denotes an 8-bit displacement following the ModRM byte that is sign-extended and added to the index. 

2. Default segment register is SS for effective addresses containing a BP index; DS is for other memory 
effective addresses. 

3. D16 denotes the 16-bit displacement following the ModRM byte that is added to the index. 
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/r Instruction Byte Format 



mod 


r 


r/m 


imm. low (1) 


imm. high (1 ) 


disp-low 


disp-high 



6 5 



3 2 1 7 



7 



7 



7 



mod" Field Bit Assignments 



mod 


Displacement 


00 
01 
10 

11 


DISP = (2) , disp-low and disp-high are absent 

DISP = disp-low sign-extended to 16-bits, disp-high is absent 

DISP = disp-high; disp-low 

r/m is treated as a "reg" field 



'r" Field Bit Assignments 



16-Bit (w = 1) 


8-Bit (w = O) 


Segment 


000 AX 


000 AL 


00 ES 


001 CX 


001 CL 


01 CS 


010 DX 


010 DL 


10 SS 


011 BX 


011 BL 


11 DS 


100 SP 


100 AH 




101 BP 


101 CH 




110 SI 


110 DH 




111 Dl 


111 BH 





'r/m" Field Bit Assignments 



r/m 


Operand Address 


000 


(BX) + (SI) + DISP 


001 


(BX) + (Dl) + DISP 


010 


(BP) + (SI) + DISP 


011 


(BP) + (Dl) + DISP 


100 


(SI) + DISP 


101 


(Dl) + DISP 


110 


(BP) + DISP( 2 > 


111 


(BX) + DISP 



DISP follows 2nd byte of instruction (before data if required). 

NOTES: 

1. Opcode indicates presence and size of immediate field. 

2. Except if mod=00 and r/m=110 then EA=disp-high: disp-low. 



Figure B-2. /r Instruction Byte Format 
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+ rw: A register code from through 7 which 
is added to the hexadecimal byte given at the 
left of the plus sign to form a single opcode 
byte. The codes are: AX = 0, CX= 1, DX = 2, 
BX = 3, SP=4, BP = 5, SI = 6, and DI = 7. 

Instruction 

This column gives the instruction mnemonic 
and possible operands. The type of operand 
used will determine the opcode and operand 
encodings. The following entries list the type 
of operand which can be encoded in the 
format shown in the instruction column. The 
Intel convention is to place the destination 
operand as the left hand operand. Source-only 
operands follow the destination operand. 

In many cases, the same instruction can be 
encoded several ways. It is recommended that 
you use the shortest encoding. The short 
encodings are provided to save memory space. 

cb: a destination instruction offset in the 
range of 128 bytes before the end of this 
instruction to 1 27 bytes after the end of this 
instruction. 

cw: a destination offset within the same code 
segment as this instruction. Some instruc- 
tions allow a short form of destination offset. 
See cb type for more information. 

cd: a destination address, typically in a 
different code segment from this instruction. 
Using the cd: address form with call instruc- 
tions saves the code segment selector. 

db: a signed value between —128 and +127 
inclusive which is an operand of the instruc- 
tion. For instructions in which the db is to be 
combined in some way with a word operand, 
the immediate value is sign-extended to form 
a word. The upper byte of the word is filled 
with the topmost bit of the immediate value. 



dw: an immediate word value which is an 
operand of the instruction. 

eb: a byte-sized operand. This is either a byte 
register or a (possibly indexed) byte memory 
variable. Either operand location may be 
encoded in the ModRM field. Any memory 
addressing mode may be used. 

ew: a word-sized operand. This is either a 
word register or a (possibly indexed) word 
memory variable. Either operand location 
may be encoded in the ModRM field. Any 
memory addressing mode may be used. 

m: a memory location. Operands in registers 
do not have a memory address. Any memory 
addressing mode may be used. 

mb: a memory-based byte-sized operand. Any 
memory addressing mode may be used. 

mw: a memory-based word operand. Any 
memory addressing mode may be used. 

md: a memory-based pointer operand. Any 
memory addressing mode may be used. 

rb: one of the byte registers AL, CL, DL, BL, 
AH, CH, DH, or BH. 

rw: one of the word registers AX, CX, DX, 
BX, SP, BP, SI, or DI. 

xb: a simple byte memory variable without a 
base or index register. MOV instructions 
between AL and memory have this optimized 
form if no indexing is required. 

xw: a simple word memory variable without 
a base or index register. MOV instructions 
between AX and memory have this optimized 
form if no indexing is required. 
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Clocks 

This column gives the number of clock cycles 
that this form of the instruction takes to 
execute. The amount of time for each clock 
cycle is computed by dividing one micro- 
second by the number of MHz at which the 
80286 is running. For example, a 10-MHz 
80286 (with the CLK pin connected to a 
20-MHz crystal) takes 100 nanoseconds for 
each clock cycle. 

The clock counts establish the maximum 
execution rate of the 80286. With no delays 
in bus cycles, the actual clock count of an 
80286 program will average 5-10% more than 
the calculated clock count due to instruction 
sequences that execute faster than they can 
be fetched from memory. 

Some instruction forms give two clock counts, 
one unlabelled and one labelled. These counts 
indicate that the instruction has two different 
clock times for two different circumstances. 
Following are the circumstances for each 
possible label: 

mem: The instruction has an operand that can 
either be a register or a memory variable. The 
unlabelled time is for the register; the mem 
time is for the memory variable. Also, one 
additional clock cycle is taken for indexed 
memory variables for which all three possible 
indices (base register, index register, and 
displacement) must be added. 

noj: The instruction involves a conditional 
jump or interrupt. The unlabelled time holds 
when the jump is made; the noj time holds 
when the jump is not made. 

pm: The instruction takes more time to 
execute when the 80286 is in Protected Mode. 
The unlabelled time is for Real Address 
Mode; the pm time is for Protected Mode. 



Description 

This is a concise description of the operation 
performed for this form of the instruction. 
More details are given in the "Operation" 
section that appears later in this chapter. 

Flags Modified 

This is a list of the flags that are set to a 
meaningful value by the instruction. If a flag 
is always set to the same value by the instruc- 
tion, the value is given (" = 0" or " = 1") after 
the flag name. 

Flags Undefined 

This is a list of the flags that have an 
undefined (meaningless) setting after the 
instruction is executed. 

All flags not mentioned under "Flags 
Modified" or "Flags Undefined" are 
unchanged by the instruction. 

Operation 

This section fully describes the operation 
performed by the instruction. For some of the 
more complicated instructions, suggested 
usage is also indicated. 

Protected Mode Exceptions 

The possible exceptions involved with this 
instruction when running under the iAPX 286 
Protected Mode are listed below. These 
exceptions are abbreviated with a pound sign 
(#) followed by two capital letters and an 
optional error code in parenthesis. For 
example, #GP(0) denotes the general protec- 
tion exception with an error code of zero. The 
next section describes all of the iAPX 286 
exceptions and the machine state upon entry 
to the exception. 

If you are an applications programmer, 
consult the documentation provided with your 
operating system to determine what actions 
are taken by the system when exceptions 
occur. 
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Real Address Mode Exceptions 

Since less error checking is performed by the 
iAPX 286 when it is in Real Address Mode, 
there are fewer exceptions in this mode. One 
exception that is possible in many instruc- 
tions is #GP(0). Exception 13 is generated 
whenever a word operand is accessed from 
effective address OFFFFH in a segment. This 
happens because the second byte of the word 
is considered located at location 10000H, not 
at location 0, and thus exceeds the segment's 
addressability limit. 

Protection Exceptions 

In parallel with the execution of instructions, 
the protected-mode iAPX 286 checks all 
memory references for validity of addressing 
and type of access. Violation of the memory 
protection rules built into the processor will 
cause a transfer of program control to one of 
the interrupt procedures described in this 
section. The interrupts have dedicated 
positions within the Interrupt Descriptor 
Table, which is shown in table B-2. The inter- 
rupts are referenced within the instruction set 
pages by a pound sign (#) followed by a two- 
letter mnemonic and the optional error code 
in parenthesis. 

Error Codes 

Some exceptions cause the iAPX 286 to pass 
a 16-bit error code to the interrupt proce- 



dure. When this happens, the error code is the 
last item pushed onto the stack before control 
is tranferred to the interrupt procedure. If 
stacks were switched as a result of the inter- 
rupt, the error code appears on the interrupt 
procedure's stack, not on the stack of the task 
that was interrupted. 

The error code generally contains the selector 
of the segment that caused the protection 
violation. The RPL field (bottom two bits) of 
the error code does not, however, contain the 
privilege level. Instead, it contains the follow- 
ing information: 

• Bit contains the value 1 if the exception 
was detected during an interrupt caused 
by an event external to the program (i.e., 
an external interrupt, a single step, a 
processor extension not-present excep- 
tion, or a processor extension segment 
overrun). Bit is if the exception was 
detected while processing the regular 
instruction stream, even if the instruction 
stream is part of an external interrupt 
handling procedure or task. If bit is set, 
the instruction pointed to by the saved 
CS:IP address is not responsible for the 
error. 

• Bit 1 is 1 if the selector points to the 
Interrupt Descriptor Table. In this case, 
bit 2 can be ignored, and bits 3-15 contain 
the index into the IDT. 



Table B-2. Protection Exceptions of the iAPX 286 



Abbreviation 


Interrupt Number 


Description 


#UD 


6 


Undefined Opcode 


#NM 


7 


No Math Unit Available 


#DF 


8 


Double Fault 


#MP 


9 


Math Unit Protection Fault 


#TS 


10 


Invalid Task State Segment 


#NP 


11 


Not Present 


#SS 


12 


Stack Fault 


#GP 


13 


General Protection 


#MF 


16 


Math Fault 
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• Bit 1 is if the selector points to the 
Global or Local Descriptor Tables. In this 
case, bits 2-15 have their usual selector 
interpretation: bit 2 selects the table 
(l=Local, 0= Global), and bits 3-15 are 
the index into the table. 

In some cases the iAPX 286 chooses to pass 
an error code with no information in it. In 
these cases, all 16 bits of the error code are 
zero. 

The existence and type of error codes are 
described under each of the following individ- 
ual exceptions. 

#DF 8 Double Fault (Zero Error Code) 

This exception is generated when a second 
exception is detected while the processor is 
attempting to transfer control to the handler 
for an exception. For instance, it is generated 
if the code segment containing the exception 
handler is marked not present. It is also 
generated if invoking the exception handler 
causes a stack overflow. 

This exception is not generated during the 
execution of an exeception handler. Faults 
detected within the instruction stream are 
handled by regular exceptions. 

The error code is normally zero. The saved 
CS:IP will point at the instruction that was 
attempting to execute when the double fault 
occurred. Since the error code is normally 
zero, no information on the source of the 
exception is available. Restart is not possible. 

#GP 13 General Protection (Selector or 
Zero Error Code) 

This exception is generated for all protection 
violations not covered by the other exceptions 
in this section. Examples of this include: 

1. An attempt to address a memory location 
by using an offset that exceeds the limit 
for the segment involved. 



2. An attempt to jump to a data segment. 

3. An attempt to load SS with a selector for 
a read-only segment. 

4. An attempt to write to a read-only 
segment. 

If #GP occurred while loading a descriptor, 
the error code passed contains the selector 
involved. Otherwise, the error code is zero. 

If the error code is not zero, the instruction 
can be restarted if the erroneous condition is 
rectified. If the error code is zero either a limit 
violation, a write protect violation, or an 
illegal use of invalid segment register 
occurred. An invalid segment register contains 
the values 0-3. Generally, a limit fault on 
MOVS, CMPS, INS, OUTS, or STOS is not 
restartable. A write protect fault on ADC, 
SBB, RCL, RCR, or XCHG also is not 
restartable. 

#MF 16 Math Fault (No Error Code) 

This exception is generated when the numeric 
processor extension (the 80287) detects an 
error signalled by the ERROR input pin 
leading from the 80287 to the 80286. The 
ERROR pin is tested at the beginning of most 
floating point instructions, and when a WAIT 
instruction is executed with the EM bit of the 
Machine Status Word set to (i.e., no 
emulation of the math unit). The floating 
point instructions that do not cause the 
ERROR pin to be tested are FNCLEX, 
FNINIT, FSETPM, FNSTCW, FSTCW, 
FNSTSW, FSTSW, FNSAVE, FSAVE, 
FNSTENV, and FSTENV. 

If the handler corrects the error condition 
causing the exception, the floating point 
instruction that caused #MF can be restarted. 
This is not accomplished by IRET, however, 
since the fault occurs at the floating point 
instruction that follows the offending instruc- 
tion. Before restarting the numeric instruc- 
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tion, the handler must obtain from the 80287 
the address of the offending instruction and 
the address of the optional numeric operand. 

#MP 9 Math Unit Protection Fault 
(No Error Code) 

This exception is generated if the numeric 
operand is larger than one word and has the 
second or subsequent words outside the 
segment's limit. Not all math addressing 
errors cause exception 9. If the effective 
address of an ESCAPE instruction is not in 
the segment's limit, or if a write is attempted 
on a read-only segment, exception 13 will 
occur. The #MP exception occurs during the 
execution of the numeric instruction by the 
80287. Thus, the 80286 may be in an 
unrelated instruction stream at the time. 

The offending floating point instruction 
cannot be restarted; the task which attempted 
to execute the offending numeric instruction 
must be aborted. However, if the exception 
interrupted another task, it may be restarted. 
The exception handler must execute FNINIT 
before executing any ESCAPE or WAIT 
instruction. 

#NM 7 No Math Unit Available 
(No Error Code) 

This exception occurs when any floating point 
instruction is executed while the EM bit or 
the TS bit of the Machine Status Word is 1 . 
It also occurs when a WAIT instruction is 
encountered and both the MP and TS bits of 
the Machine Status Word are 1. 

Depending on the setting of the MSW bits 
that caused this exception, the exception 
handler could provide emulation of the 80287, 
or it could perform a context switch of the 
math processor to prepare it for use by 
another task. 

The instruction causing #NM can be restarted 
if the handler performs a numeric context 



switch. If the handler provided emulation of 
the math unit, it should advance the return 
pointer beyond the floating point instruction 
that caused NM. 

#NP 1 1 Not Present (Selector Error Code) 

This exception occurs when CS, DS, ES, or 
the Task Register is loaded with a descriptor 
that is marked not present but is otherwise 
valid. It can occur in an LLDT instruction, 
but the #NP exception will not occur if the 
processor attempts to load the LDT register 
during a task switch. A not-present LDT 
encountered during a task switch causes the 
#TS exception. 

The error code passed is the selector of the 
descriptor that is marked not present. 

Typically, the Not Present exception handler 
is used to implement a virtual memory system. 
The operating system can swap inactive 
memory segments to a mass-storage device 
such as a disk. Applications programs need 
not be told about this; the next time they 
attempt to access the swapped-out memory 
segment, the Not Present handler will be 
invoked, the segment will be brought back into 
memory, and the offending instruction within 
the applications program will be restarted. 

If #NP is detected on loading CS, DS, or ES 
in a task switch, the exception occurs in the 
new task, and the IRET from the exception 
handler jumps directly to the next instruction 
in the new task. 

The Not Present exception handler must 
contain special code to complete the loading 
of segment registers when #NP is detected in 
loading the CS or DS registers in a task 
switch and a trap or interrupt gate was used. 
The DS and ES registers have been loaded 
but their descriptors have not been loaded. 
Any memory reference using the segment 
register may cause exception 13. The #NP 



B-9 



THE iAPX 286 INSTRUCTION SET 



exception handler should execute code such 
as the following to ensure full loading of the 
segment registers: 

MOV AX,DS 
MOV DS,AX 
MOV AX,ES 
MOV ES,AX 



#SS 12 Stack Fault (Selector or Zero 
Error Code) 

This exception is generated when a limit 
violation is detected in addressing through the 
SS register. It can occur on stack-oriented 
instructions such as PUSH or POP, as well 
as other types of memory references using SS 
such as MOV AX,[BP+28]. It also can occur 
on an ENTER instruction when there is not 
enough space on the stack for the indicated 
local variable space, even if the stack excep- 
tion is not triggered by pushing BP or copying 
the display stack. A stack exception can 
therefore indicate a stack overflow, a stack 
underflow or a wild offset. The error code will 
be zero. 

#SS is also generated on an attempt to load 
SS with a descriptor that is marked not 
present but is otherwise valid. This can occur 
in a task switch, an inter-level call, an inter- 
level return, a move to the SS instruction or 
a pop to the SS instruction. The error code 
will be non-zero. 

#SS is never generated when addressing 
through the DS or ES registers even if the 
offending register points to the same segment 
as the SS register. 

The #SS exception handler must contain 
special code to complete the loading of 
segment registers. The DS and ES registers 
will not be fully loaded if a not-present 
condition is detected while loading the SS 
register. Therefore, the #SS exception handler 



should execute code such as the following to 
insure full loading of the segment registers: 

MOV AX,DS 
MOV DS,AX 
MOV AX,ES 
MOV ES,AX 

Generally, the instruction causing #SS can be 
restarted, but there is one special case when 
it cannot: when a PUSHA or POPA instruc- 
tion attempts to wrap around the 64K bound- 
ary of a stack segment. This condition is 
identified by the value of the saved SP, which 
can be either 0000H, 000 1H, OFFFEH, or 
OFFFFH. 



#TS 10 Invalid Task State Segment 
(Selector Error Code) 

This exception is generated when a task state 
segment is invalid, that is, when a task state 
segment is too small; when the LDT indicated 
in a TSS is invalid or not present; when the 
SS, CS, DS, or ES indicated in a TSS are 
invalid (task switch); when a TSS indicated 
an invalid privileged stack (inter-level call); 
or when the back link in a TSS is invalid 
(inter-task IRET). 

#TS is not generated when the SS, CS, DS, 
or ES back link or privileged stack selectors 
point to a descriptor that is not present but 
otherwise is valid. #NP is generated in these 
cases. 

The error code passed to the exception handler 
contains the selector of the offending segment, 
which can either be the Task State Segment 
itself, or a selector found within the Task 
State Segment. 

The instruction causing #TS can be restarted. 

#TS must be handled through a task gate. 
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#UD 6 Undefined Opcode (No Error Code) 

This exception is generated when an invalid 
operation code is detected in the instruction 
stream. Following are the cases in which #UD 
can occur: 

1. The first byte of an instruction is 
completely invalid (e.g., 64H). 

2. The first byte indicates a 2-byte opcode 
and the second byte is invalid (e.g., OFH 
followed by OFFH). 

3. An invalid register is used with an other- 
wise valid opcode (e.g., MOV CS,AX). 

4. An invalid opcode extension is given in 
the REG field of the ModRM byte (e.g., 
0F6H/1). 

5. A register operand is given in an instruc- 
tion that requires a memory operand 
(e.g., LGDT AX). 

Since the offending opcode will always be 
invalid, it cannot be restarted. However, the 
#UD handler might be coded to implement 
an extension of the iAPX 286 instruction set. 
In that case, the handler could advance the 
return pointer beyond the extended instruc- 
tion and return control to the program after 
the extended instruction is emulated. Any 
such extensions may be incompatible with 
iAPX 386. 



Privilege Level and Task Switching on 
the iAPX 286 

The iAPX 286 supports many of the functions 
necessary to implement a protected, multi- 
tasking operating system in hardware. This 
support is provided not by additional instruc- 
tions, but by extension of the semantics of 
iAPX 86/88 instructions that change the 
value of CS:IP. 

Whenever the iAPX 286 performs an inter- 
segment jump, call, interrupt, or return, it 
consults the Access Rights (AR) byte found 
in the descriptor table entry of the selector 
associated with the new CS value. The AR 
byte determines whether the long jump being 
made is through a gate, or is a task switch, or 
is a simple long jump to the same privilege 
level. Table B-3 lists the possible values of the 
AR byte. The "privilege" headings at the top 
of the table give the Descriptor Privilege 
Level, which is referred to as the DPL within 
the instruction descriptions. 

Each of the CALL, INT, IRET, JMP, and 
RET instructions contains on its instruction 
set pages a listing of the access rights 
checking and actions taken to implement 
the instruction. Instructions involving 
task switches contain the symbol 
SWITCH_TASKS, which is an abbreviation 
for the following list of checks and actions: 



SWITCH_TASKS: 

Locked set AR byte of new TSS descriptor to Busy TSS (Bit 1=1) 

Current TSS cache must be valid with limit > 43 else #TS (error code will 

be new TSS, but back link points at old TSS) 

New TSS limit > 43 else #TS (new TSS) 

Save machine state in current TSS 

If nesting tasks, set the new TSS link to the current TSS selector 

Any exception will be in new context Else set the AR byte of current TSS 

descriptor to Available TSS (Bit 1 = 0) 

Set the current TR to selector, base, and limit of new TSS 

Set all machine registers to values from new TSS without loading descriptors for DS, ES, CS, SS, LDT 

Clear valid flags for LDT,SS,CS,DS,ES (not valid yet) 

Set the Task Switched flag to 1 

If nesting tasks, set the Nested Task flag to 1 

LDT from the new TSS must be within GDT table limits else #TS(LDT) 

AR byte from LDT descriptor must specify LDT segment else #TS(LDT) 
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AR byte from LDT descriptor must indicate PRESENT else #TS(LDT) 

Load LDT cache with new LDT descriptor and set valid bit 

Set CPL to the RPL of the CS selector in the new TSS 

If new stack selector is null #TS(SS) 

SS selector must be within its descriptor table limits else #TS(SS) 

SS selector RPL must be equal to CPL else #TS(SS) 

DPL of SS descriptor must equal CPL else #TS(SS) 

SS descriptor AR byte must indicate writable data segment else #TS(SS) 

SS descriptor AR byte must indicate PRESENT else #SS(SS) 

Load SS cache with new stack segment and set valid bit 

New CS selector must not be null else #TS(CS) 

CS selector must be within its descriptor table limits else #TS(CS) 

CS descriptor AR byte must indicate code segment else #TS(CS) 

If non-conforming then DPL must equal CPL else #TS(CS) 

If conforming then DPL must be < CPL else #TS(CS) 

CS descriptor AR byte must indicate PRESENT else #NP(CS) 

Load CS cache with new code segment descriptor and set valid bit 

For DS and ES: 

If new selector is not null then perform following checks: 

Index must be within its descriptor table limits else #TS(segment selector) 
AR byte must indicate data or readable code else #TS(segment selector) 
If data or non-conforming code then: 

DPL must be > CPL else #TS(segment selector) 
DPL must be > RPL else #TS(segment selector) 
AR byte must indicate PRESENT else #NP(segment selector) 
Load cache with new segment descriptor and set valid bit 
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Table B-3. 


Hexadecimal Values for the Access Rights Byte 




Not present, 






Present, 








privilege = 






privilege= 




Descriptor Type 





1 


2 


3 





1 * 


2 


3 




00 


20 


40 


60 


80 


AO 


CO 


EO 


Illegal 


01 


21 


41 


61 


81 


A1 


C1 


E1 


Available Task State Segment 


02 


22 


42 


62 


82 


A2 


C2 


E2 


Local Descriptor Table Segment 


03 


23 


43 


63 


83 


A3 


C3 


E3 


Busy Task State Segment 


04 


24 


44 


64 


84 


A4 


C4 


E4 


Call Gate 


05 


25 


45 


65 


85 


A5 


C5 


E5 


Task Gate 


06 


26 


46 


66 


86 


A6 


C6 


E6 


Interrupt Gate 


07 


27 


47 


67 


87 


A7 


C7 


E7 


Trap Gate 


08 


28 


48 


68 


88 


A8 


C8 


E8 


Illegal 


09 


29 


49 


69 


89 


A9 


C9 


E9 


Illegal 


0A 


2A 


4A 


6A 


8A 


AA 


CA 


EA 


Illegal 


OB 


2B 


4B 


6B 


8B 


AB 


CB 


EB 


Illegal 


OC 


2C 


4C 


6C 


8C 


AC 


CC 


EC 


Illegal 


OD 


2D 


4D 


6D 


8D 


AD 


CD 


ED 


Illegal 


OE 


2E 


4E 


6E 


8E 


AE 


CE 


EE 


Illegal 


OF 


2F 


4F 


6F 


8F 


AF 


CF 


EF 


Illegal 


10 


30 


50 


70 


90 


BO 


DO 


FO 


Expand-up, read only, ignored Data Segment 


11 


31 


51 


71 


91 


B1 


D1 


F1 


Expand-up, read only, accessed Data Segment 


12 


32 


52 


72 


92 


B2 


D2 


F2 


Expand-up, writable, ignored Data Segment 


13 


33 


53 


73 


93 


B3 


D3 


F3 


Expand-up, writable, accessed Data Segment 


14 


34 


54 


74 


94 


B4 


D4 


F4 


Expand-down, read only, ignored Data Segment 


15 


35 


55 


75 


95 


B5 


D5 


F5 


Expand-down, read only, accessed Data Segment 


16 


36 


56 


76 


96 


B6 


D6 


F6 


Expand-down, writable, ignored Data Segment 


17 


37 


57 


77 


97 


B7 


D7 


F7 


Expand-down, writable, accessed Data Segment 


18 


38 


58 


78 


98 


B8 


D8 


F8 


Non-conform, no read, ignored Code Segment 


19 


39 


59 


79 


99 


B9 


D9 


F9 


Non-conform, no read, accessed Code Segment 


1A 


3A 


5A 


7A 


9A 


BA 


DA 


FA 


Non-conform, readable, ignored Code Segment 


1B 


3B 


5B 


7B 


9B 


BB 


DB 


FB 


Non-conform, readable, accessed Code Segment 


1C 


3C 


5C 


7C 


9C 


BC 


DC 


FC 


Conforming, no read, ignored Code Segment 


1D 


3D 


5D 


7D 


9D 


BD 


DD 


FD 


Conforming, no read, accessed Code Segment 


1E 


3E 


5E 


7E 


9E 


BE 


DE 


FE 


Conforming, readable, ignored Code Segment 


1F 


3F 


5F 


7F 


9F 


BF 


DF 


FF 


Conforming, readable, accessed Code Segment 
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AAA — ASCII Adjust AL After Addition 



Opcode 

37 



Instruction 
AAA 



Clocks 
3 



Description 

ASCII adjust AL after addition 



FLAGS MODIFIED 

Auxiliary carry, carry 

FLAGS UNDEFINED 

Overflow, sign, zero, parity 

OPERATION 

AAA should be executed only after an ADD 
instruction which leaves a byte result in the 
AL register. The lower nibbles of the operands 
to the ADD instruction should be in the range 
through 9 (BCD digits). In this case, the 
AAA instruction will adjust AL to contain the 
correct decimal digit result. If the addition 
produced a decimal carry, the AH register is 
incremented, and the carry and auxiliary 
carry flags are set to 1. If there was no 
decimal carry, the carry and auxiliary carry 
flags are set to 0, and AH is unchanged. In 



any case, AL is left with its top nibble set to 
0. To convert AL to an ASCII result, you can 
follow the AAA instruction with OR AL,30H. 

The precise definition of AAA is as follows: 
if the lower 4 bits of AL are greater than nine, 
or if the auxiliary carry flag is 1, then incre- 
ment AL by 6, AH by 1, and set the carry 
and auxiliary carry flags. Otherwise, reset the 
carry and auxiliary carry flags. In any case, 
conclude the AAA operation by setting the 
upper four bits of AL to zero. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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AAD — ASCII Adjust AX Before Division 



Opcode 

D5 OA 



Instruction 
AAD 



Clocks 

14 



Description 

ASCII adjust AX before division 



FLAGS MODIFIED 

Sign, zero, parity 

FLAGS UNDEFINED 

Overflow, auxiliary carry, carry 

OPERATION 

AAD is used to prepare two unpacked BCD 
digits (least significant in AL, most signifi- 
cant in AH) for a division operation which 
will yield an unpacked result. This is accom- 



plished by setting AL to AL + (10 X AH), 
and then setting AH to 0. This leaves AX 
equal to the binary equivalent of the original 
unpacked 2-digit number. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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AAM — ASCII Adjust AX After Multiply 



Opcode 

D4 OA 



Instruction 

AAM 



Clocks 

16 



Description 

ASCII adjust AX after multiply 



FLAGS MODIFIED 

Sign, zero, parity 

FLAGS UNDEFINED 

Overflow, auxiliary carry, carry 

OPERATION 

AAM should be used only after executing a 
MUL instruction between two unpacked BCD 
digits, leaving the result in the AX register. 
Since the result is less than one hundred, it is 



contained entirely in the AL register. AAM 
unpacks the AL result by dividing AL by ten, 
leaving the quotient (most significant digit) 
in AH, and the remainder (least significant 
digit) in AL. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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AAS — ASCII Adjust AL After Subtraction 



Opcode 

3F 



Instruction 
AAS 



Clocks 
3 



Description 

ASCII adjust AL after subtraction 



FLAGS MODIFIED 

Auxiliary carry, carry 

FLAGS UNDEFINED 

Overflow, sign, zero, parity 

OPERATION 

AAS should be executed only after a subtrac- 
tion instruction which left the byte result in 
the AL register. The lower nibbles of the 
operands to the SUB instruction should have 
been in the range through 9 (BCD digits). 
In this case, the AAS instruction will adjust 
AL to contain the correct decimal digit result. 
If the subtraction produced a decimal carry, 
the AH register is decremented, and the carry 
and auxiliary carry flags are set to 1. If there 
was no decimal carry, the carry and auxiliary 
carry flags are set to 0, and AH is unchanged. 



In any case, AL is left with its top nibble set 
to 0. To convert AL to an ASCII result, you 
can follow the AAS instruction with 
OR AL,30H. 

The precise definition of AAS is as follows: if 
the lower four bits of AL are greater than 9, 
or if the auxiliary carry flag is 1 , then decre- 
ment AL by 6, AH by 1, and set the carry 
and auxiliary carry flags. Otherwise, reset the 
carry and auxiliary carry flags. In any case, 
conclude the AAS operation by setting the 
upper four bits of AL to zero. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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ADC/ADD — Integer Addition 



Opcode 




Instruction 


Clocks 


Description 


10 


lr 




ADC eb.rb 


2,mem=7 


Add with carry byte register into EA byte 


11 


/r 




ADC ew.rw 


2,mem=7 


Add with carry word register into EA word 


12 


lr 




ADC rb.eb 


2,mem=7 


Add with carry EA byte into byte register 


13 


lr 




ADC rw.ew 


2,mem=7 


Add with carry EA word into word register 


14 


db 




ADC AL.cto 


3 


Add with carry immediate byte into AL 


15 


dw 




ADC AX.cftv 


3 


Add with carry immediate word into AX 


80 


/2 


db 


ADC eb.db 


3,mem=7 


Add with carry immediate byte into EA byte 


81 


/2 


dw 


ADC ew.dw 


3,mem=7 


Add with carry immediate word into EA word 


83 


/2 


db 


ADC ew.db 


3,mem=7 


Add with carry immediate byte into EA word 


00 


lr 




ADD eb.rb 


2,mem=7 


Add byte register into EA byte 


01 


lr 




ADD ew.rw 


2,mem=7 


Add word register into EA word 


02 


lr 




ADD rb.eb 


2,mem=7 


Add EA byte into byte register 


03 


lr 




ADD nv.eiv 


2,mem=7 


Add EA word into word register 


04 


db 




ADD AL.cto 


3 


Add immediate byte into AL 


05 


dw 




ADD AX.cfw 


3 


Add immediate word into AX 


80 


/o 


db 


ADD eb.cto 


3,mem=7 


Add immediate byte into EA byte 


81 


/o 


dw 


ADD ew.dw 


3,mem=7 


Add immediate word into EA word 


83 


/o 


db 


ADD ew,cto 


3,mem=7 


Add immediate byte into EA word 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

FLAGS UNDEFINED 

None 

OPERATION 

ADD and ADC perform an integer addition 
on the two operands. The ADC instruction 
also adds in the initial state of the carry flag. 
The result of the addition goes to the first 
operand. ADC is usually executed as part of 
a multi-byte or multi-word addition 
operation. 



When a byte immediate value is added to a 
word operand, the immediate value is first 
sign-extended. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
0FFFFH. 
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AND — Logical AND 



Opcode 




Instruction 


Clocks 


Description 


20 


lr 




AND eb.rb 


2,mem=7 


Logical-AND 


21 


lr 




AND ew,rw 


2,mem=7 


Logical-AND 


22 


lr 




AND rb.eb 


2,mem=7 


Logical-AND 


23 


lr 




AND rw.ew 


2,mem=7 


Logical-AND 


24 


db 




AND AL.cfo 


3 


Logical-AND 


25 


dw 




AND AX.cfw 


3 


Logical-AND 


80 


/4 


db 


AND eb,cfo 


3,mem=7 


Logical-AND 


81 


/4 


dw 


AND ew.cfiv 


3,mem=7 


Logical-AND 



byte register into EA byte 
word register into EA word 
EA byte into byte register 
EA word into word register 
immediate byte into AL 
immediate word into AX 
immediate byte into EA byte 
immediate word into EA word 



FLAGS MODIFIED 

Overflow =0, sign, zero, parity, carry =0 

FLAGS UNDEFINED 

Auxiliary carry 

OPERATION 

Each bit of the result is a 1 if both corre- 
sponding bits of the operands were 1 ; it is 
otherwise. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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ARPL — Adjust RPL Field of Selector 



Opcode 


Instruction 


Clocks 


Description 


63 jr 


ARPL ew.rw 


10,mem=11 


Adjust RPL of EA word not less than RPL of 
rw 



FLAGS MODIFIED 

Zero 

FLAGS UNDEFINED 

None 

OPERATION 

The ARPL instruction has two operands. The 
first operand is a 16-bit memory variable or 
word register that contains the value of a 
selector. The second operand is a word regis- 
ter. If the RPL field (bottom two bits) of the 
first operand is less than the RPL field of the 
second operand, then the zero flag is set to 1 
and the RPL field of the first operand is 
increased to match the second RPL. Other- 
wise, the zero flag is set to and no change 
is made to the first operand. 



ARPL appears in operating systems software, 
not in applications programs. It is used to 
guarantee that a selector parameter to a 
subroutine does not request more privilege 
than the caller was entitled to. The second 
operand used by ARPL would normally be a 
register that contains the CS selector value of 
the caller. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6. ARPL is not recognized in Real 
Address mode. 
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BOUND — Check Array Index Against Bounds 



Opcode 

62 /r 



Instruction Clocks 

BOUND rw.md noj=13 



Description 

INT 5 if rw not within bounds 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

BOUND is used to ensure that a signed array 
index is within the limits defined by a two- 
word block of memory. The first operand (a 
register) must be greater than or equal to the 
first word in memory, and less than or equal 
to the second word in memory. If the register 
is not within the bounds, an INTERRUPT 5 
occurs. 

The two-word block might typically be found 
just before the array itself and therefore would 
be accessible at a constant offset of — 4 from 
the array, simplifying the addressing. 



PROTECTED MODE EXCEPTIONS 

INTERRUPT 5 if the bounds test fails, as 
described above. #GP(0) for an illegal 
memory operand effective address in the CS, 
DS, or ES segments; #SS(0) for an illegal 
address in the SS segment. 

The second operand must be a memory 
operand, not a register. If the BOUND 
instruction is executed with a ModRM byte 
representing a register second operand, then 
fault #UD will occur. 



REAL ADDRESS MODE EXCEPTIONS 

INTERRUPT 5 if the bounds test fails, as 
described above. Interrupt 13 for a second 
operand at offset OFFFDH or higher. Inter- 
rupt 6 if the second operand is a register, as 
described in the paragraph above. 
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CALL — Call Procedure 



Opcode 


Instruction 


Clocks* 


Description 


E8 


cw 


CALL cw 


7 


Call near, offset relative to next instruction 


FF 


/2 


CALL ew 


7,mem=11 


Call near, offset absolute at EA word 


9A 


cd 


CALL cd 


13,pm=26 


Call inter-segment, immediate 4-byte address 


9A 


cd 


CALL cd 


41 


Call gate, same privilege 


9A 


cd 


CALL cd 


82 


Call gate, more privilege, no parameters 


9A 


cd 


CALL cd 


86+4X 


Call gate, more privilege, X parameters 


9A 


cd 


CALL cd 


177 


Call via Task State Segment 


9A 


cd 


CALL cd 


182 


Call via task gate 


FF 


/3 


CALL ed 


16,mem=29 


Call inter-segment, address at EA doubleword 


FF 


/3 


CALL ed 


44 


Call gate, same privilege 


FF 


/3 


CALL ed 


83 


Call gate, more privilege, no parameters 


FF 


/3 


CALL ed 


90+4X 


Call gate, more privilege, X parameters 


FF 


/3 


CALL ecf 


180 


Call via Task State Segment 


FF 


/3 


CALL ed 


185 


Call via task gate 



*Add one clock for each byte in the next instruction executed. 



FLAGS MODIFIED 

None, except when a task switch occurs 

FLAGS UNDEFINED 

None 

OPERATION 

The CALL instruction causes the procedure 
named in the operand to be executed. When 
the procedure is complete (a return instruc- 
tion is executed within the procedure), execu- 
tion continues at the instruction that follows 
the CALL instruction. 

The CALL cw form of the instruction adds 
modulo 65536 (the 2-byte operand) to the 
offset of the instruction following the CALL 
and sets IP to the resulting offset. The 2-byte 
offset of the instruction that follows the 
CALL is pushed onto the stack. It will be 
popped by a near RET instruction within the 
procedure. The CS register is not changed by 
this form. 

The CALL ew form of the instruction is the 
same as CALL cw except that the operand 
specifies a memory location from which the 



absolute 2-byte offset for the procedure is 
fetched. 

The CALL cd form of the instruction uses the 
4-byte operand as a pointer to the procedure 
called. The CALL ed form fetches the long 
pointer from the memory location specified. 
Both long pointer forms consult the AR byte 
in the descriptor indexed by the selector part 
of the long pointer. The AR byte can indicate 
one of the following descriptor types: 

1. Code Segment — The access rights are 
checked, the return pointer is pushed onto 
the stack, and the procedure is jumped 
to. 

2. Call Gate — The offset part of the pointer 
is ignored. Instead, the entire address of 
the procedure is taken from the call gate 
descriptor entry. If the routine being 
entered is more privileged, then a new 
stack (both SS and SP) is loaded from 
the task state segment for the new privi- 
lege level, and parameters determined by 
the wordcount field of the call gate are 
copied from the old stack to the new 
stack. 
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Task Gate — The current task's context is 
saved in its Task State Segment (TSS), 
and the TSS named in the task-gate is 
used to load the new context. The selec- 
tor for the outgoing task (from TR) is 
stored into the new TSS's link field, and 
the new task's Nested Task flag is set. 
The outgoing task is left marked busy, the 
new TSS is marked busy, and execution 
resumes at the point at which the new 
task was last suspended. 

Task State Segment — The current task is 
suspended and the new task initiated as 
in 3 above except that there is no inter- 
vening gate. 



For long calls involving no task switch, the 
return link is the pointer of the instruction 
that follows the CALL, i.e., the caller's CS 
and updated IP. Task switches invoked by 
CALLs are linked by storing the outgoing 
task's TSS selector in the incoming TSS's link 
field and setting the Nested Task flag in the 
new task. Nested tasks must be terminated by 
an IRET. IRET releases the nested task and 
follows the back link to the calling task if the 
NT flag is set. 

A precise list of the protection checks made 
and the actions taken is given by the follow- 
ing list: 



CALL FAR: 

If indirect then check access of EA doubleword #GP(0) if limit violation 

New CS selector must not be null else #GP(0) 

Check that new CS selector index is within its descriptor table limits; else #GP (new CS selector) 

Examine AR byte of selected descriptor for various legal values: 

CALL CONFORMING CODE SEGMENT: 

DPL must be > CPL else #GP (code segment selector) 
Segment must be PRESENT else #NP (code segment selector) 
Stack must be big enough for return address else #SS(0) 
IP must be in code segment limit else #GP(0) 
Load code segment descriptor into CS cache 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load IP with new offset 

CALL NONCONFORMING CODE SEGMENT: 

RPL must be < CPL else #GP (code segment selector) 
DPL must be = CPL else #GP (code segment selector) 
Segment must be PRESENT else #NP (code segment selector) 
Stack must be big enough for return address else #SS(0) 
IP must be in code segment limit else #GP(0) 
Load code segment descriptor into CS cache 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load IP with new offset 

CALL TO CALL GATE: 

Call gate DPL must be > CPL else #GP (call gate selector) 

Call gate DPL must be > RPL else #GP (call gate selector) 

Call gate must be PRESENT else #NP (call gate selector) 

Examine code segment selector in call gate descriptor: 
Selector must not be null else #GP(0) 

Selector must be within its descriptor table limits else #GP (code segment selector) 
AR byte of selected descriptor must indicate code segment else #GP (code segment selector) 
DPL of selected descriptor must be < CPL else #GP( code segment selector) 
If non-conforming code segment and DPL < CPL then 

CALL GATE TO MORE PRIVILEGE: 

Get new SS selector for new privilege level from TSS 
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Check selector and descriptor for new SS: 
Selector must not be null else #TS(0) 

Selector index must be within its descriptor table limits else #TS (SS selector) 
Selector's RPL must equal DPL of code segment else #TS (SS selector) 
Stack segment DPL must equal DPL of code segment else #TS (SS selector) 
Descriptor must indicate writable data segment else #TS (SS selector) 
Segment PRESENT else #SS (SS selector) 

New stack must have room for parameters plus 8 bytes else #SS(0) 

IP must be in code segment limit else #GP(0) 

Load new SS:SP value from TSS 

Load new CS:IP value from gate 

Load CS descriptor 

Load SS descriptor 

Push long pointer of old stack onto new stack 

Get word count from call gate, mask to 5 bits 

Copy parameters from old stack onto new stack 

Push return address onto new stack 

Set CPL to stack segment DPL 

Set RPL of CS to CPL 
Else 

CALL GATE TO SAME PRIVILEGE: 

Stack must have room for 4-byte return address else #SS(0) 

IP must be in code segment limit else #GP(0) 

Load CS:IP from gate 

Push return address onto stack 

Load code segment descriptor into CS-cache 

Set RPL of CS to CPL 

CALL TASK GATE: 

Task gate DPL must be >: CPL else #GP (gate selector) 
Task gate DPL must be > RPL else #GP (gate selector) 
Task Gate must be PRESENT else #NP (gate selector) 
Examine selector to TSS, given in Task Gate descriptor: 

Must specify global in the local/global bit else #GP (TSS selector) 

Index must be within GDT limits else #GP (TSS selector) 

TSS descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 

Task State Segment must be PRESENT else #NP (TSS selector) 
SWITCH_TASKS with nesting to TSS 
IP must be in code segment limit else #GP(0) 

TASK STATE SEGMENT: 

TSS DPL must be > CPL else #GP (TSS selector) 

TSS DPL must be > RPL else #GP (TSS selector) 

TSS descriptor AR byte must specify available TSS else #GP (TSS selector) 

Task State Segment must be PRESENT else #NP (TSS selector) 

SWITCH_TASKS with nesting to TSS 

IP must be in code segment limit else #GP(0) 

ELSE #GP (code segment selector) 

PROTECTED MODE EXCEPTIONS DS, or ES segments; #SS(0) for an illegal 

FAR calls: #GP, #NP, #SS, and #TS, as address in the SS segment. #GP if the indirect 

indicated in the list above. offset obtained is beyond the code segment 

NEAR direct calls: #GP(0) if procedure imi S * 

location is beyond the code segment limits. __ A , ,__„_«, „«.»_ -««-«,,««« 

J 6 REAL ADDRESS MODE EXCEPTIONS 

NEAR indirect CALL: #GP(0) for an illegal Interrupt 13 for a word operand at offset 

memory operand effective address in the CS, OFFFFH. 

B-24 



THE IAPX 286 INSTRUCTION SET 



CBW — Convert Byte into Word 



Opcode 
98 



Instruction 

CBW 



Clocks 
2 



Description 

Convert byte into word (AH = top bit of AL) 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

CBW converts the signed byte in AL to a 



signed word in AX. It does so by extending 
the top bit of AL into all of the bits of AH. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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CLC — Clear Carry Flag 



Opcode 
F8 



Instruction 
CLC 



Clocks 
2 



Description 

Clear carry flag 



FLAGS MODIFIED 

Carry=0 

FLAGS UNDEFINED 

None 

OPERATION 

CLC sets the carry flag to zero. No other flags 
or registers are affected. 



PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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CLD — Clear Direction Flag 



Opcode 
FC 



Instruction 
CLD 



Clocks 
2 



Description 

Clear direction flag, SI and Dl will increment 



FLAGS MODIFIED 

Direction =0 

FLAGS UNDEFINED 

None 

OPERATION 

CLD clears the direction flag. No other flags 



or registers are affected. After CLD is 
executed, string operations will increment the 
index registers (SI and/or DI) that they use. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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CLI — Clear Interrupt Flag 



Opcode 

FA 



Instruction 

CLI 



Clocks 

3 



Description 

Clear interrupt flag; interrupts disabled 



FLAGS MODIFIED 

lnterrupt=0 

FLAGS UNDEFINED 

None 

OPERATION 

CLI clears the interrupt enable flag if the 
current privilege level is at least as privileged 
as IOPL. No other flags are affected. Exter- 
nal interrupts will be ignored after the next 



instruction if the interrupt enable flag remains 
cleared. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is bigger 
(has less privilege) than the IOPL in the flags 
register. IOPL specifies the least privileged 
level at which I/O may be performed. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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CLTS — Clear Task Switched Flag 



Opcode 
OF 06 



Instruction 
CLTS 



Clocks 
2 



Description 

Clear task switched flag 



FLAGS MODIFIED 

Task switched =0 

FLAGS UNDEFINED 

None 

OPERATION 

CLTS clears the task switched flag in the 
Machine Status Word. This flag is set by the 
iAPX 286 every time a task switch occurs. 
The TS flag is used to manage processor 
extensions as follows: every execution of a 
WAIT or an ESC instruction will be trapped 
if the MP flag of MSW is set and the task 
switched flag is set. Thus, if a processor 
extension is present and a task switch has been 
made since the last ESC instruction was 
begun, the processor extension's context must 
be saved before a new instruction can be 



issued. The fault routine will save the context 
and reset the task switched flag or place the 
task requesting the processor extension into a 
queue until the current processor extension 
instruction is completed. 

CLTS appears in operating systems software, 
not in applications programs. It is a privi- 
leged instruction that can only be executed at 
level 0. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if CLTS is executed with a current 
privilege level other than 0. 

REAL ADDRESS MODE EXCEPTIONS 

None (valid in REAL ADDRESS MODE to 
allow power-up initialization for Protected 
Mode) 
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CMC — Complement Carry Flag 



Opcode Instruction Clocks Description 

F5 CMC 2 Complement carry flag 



FLAGS MODIFIED PROTECTED MODE EXCEPTIONS 

Carry None 

FLAGS UNDEFINED REAL ADDRESS MODE EXCEPTIONS 

None None 

OPERATION 

CMC reverses the setting of the carry flag. 
No other flags are affected. 
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CMP — Compare Two Operands 



Opcode 




Instruction 


Clocks 


Description 


3C 


db 




CMP AL.cto 


3 


Compare immediate byte from AL 


3D 


dw 




CMP AX,dw 


3 


Compare immediate word from AX 


80 


/7 


db 


CMP eb.db 


3,mem=6 


Compare immediate byte from EA byte 


38 


lr 




CMP eb,rb 


2,mem=7 


Compare byte register from EA byte 


83 


P 


db 


CMP ew.db 


3,mem=6 


Compare immediate byte from EA word 


81 


P 


dw 


CMP ew,dw 


3,mem=6 


Compare immediate word from EA word 


39 


lr 




CMP ew,rw 


2,mem=7 


Compare word register from EA word 


3A 


lr 




CMP rb.eb 


2,mem=6 


Compare EA byte from byte register 


3B 


lr 




CMP rw.ew 


2,mem=6 


Compare EA word from word register 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

FLAGS UNDEFINED 

None 

OPERATION 

CMP subtracts the second operand from the 
first operand, but it does not place the result 
anywhere. Only the flags are changed by this 
instruction. CMP is usually followed by a 
conditional jump instruction. See the "Jcond" 
instructions in this chapter for the list of 



signed and unsigned flag tests provided by the 
iAPX 286. 

If a word operand is compared to an immedi- 
ate byte value, the byte value is first sign- 
extended. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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CMPS/CMPSB/CMPSW— Compare string operands 



Opcode 

A6 
A6 
A7 



Instruction 

CMPS mb,mb 

CMPSB 

CMPSW 



Clocks 

8 
8 
8 



Description 

Compare bytes ES:[DI] from [SI] 
Compare bytes ES:[DI] from DS:[SI] 
Compare words ES:[DI] from DS:[SI] 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

FLAGS UNDEFINED 

None 

OPERATION 

CMPS compares the byte or word pointed to 
by SI with the byte or word pointed to by DI 
by performing the subtraction [SI] — [DI]. 
The result is not placed anywhere; only the 
flags reflect the result of the subtraction. The 
types of the operands to CMPS determine 
whether bytes or words are compared. The 
segment addressability of the first (SI) 
operand determines whether a segment 
override byte will be produced or whether the 
default segment register DS is used. The 
second (DI) operand must be addressible from 
the ES register; no segment override is 
possible. 



After the comparison is made, both SI and 
DI are automatically advanced. If the direc- 
tion flag is (CLD was executed), the regis- 
ters increment; if the direction flag is 1 (STD 
was executed), the registers decrement. The 
registers increment or decrement by 1 if a 
byte was moved; by 2 if a word was moved. 

CMPS can be preceded by the REPE or 
REPNE prefix for block comparison of CX 
bytes or words. Refer to the REP instruction 
for details of this operation. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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CWD — Convert Word to Doubleword 



Opcode 

99 



Instruction 

CWD 



Clocks 
2 



Description 

Convert word to doubleword (DX:AX = AX) 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

CWD converts the signed word in AX to a 
signed doubleword in DX:AX. It does so by 



extending the top bit of AX into all the bits 
ofDX. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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DAA — Decimal Adjust AL After Addition 



Opcode 
27 



Instruction 
DAA 



Clocks 
3 



Description 

Decimal adjust AL after addition 



FLAGS MODIFIED 

Sign, zero, auxiliary carry, parity, carry 



FLAGS UNDEFINED 

Overflow 



OPERATION 

DAA should be executed only after an ADD 
instruction which leaves a two-BCD-digit byte 
result in the AL register. The ADD operands 
should consist of two packed BCD digits. In 
this case, the DAA instruction will adjust AL 
to contain the correct two-digit packed 
decimal result. 



The precise definition of DAA is as follows: 

1 . If the lower 4 bits of AL are greater than 
nine, or if the auxiliary carry flag is 1, 
then increment AL by 6, and set the 
auxiliary carry flag. Otherwise, reset the 
auxiliary carry flag. 

2. If AL is now greater than 9FH, or if the 
carry flag is set, then increment AL by 
60H, and set the carry flag. Otherwise, 
clear the carry flag. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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DAS — Decimal Adjust AL After Subtraction 



Opcode 

2F 



Instruction 
DAS 



Clocks 
3 



Description 

Decimal adjust AL after subtraction 



FLAGS MODIFIED 

Sign, zero, auxiliary carry, parity, carry 



FLAGS UNDEFINED 

Overflow 



OPERATION 

DAS should be executed only after a subtrac- 
tion instruction which leaves a two-BCD-digit 
byte result in the AL register. The operands 
should consist of two packed BCD digits. In 
this case, the DAS instruction will adjust AL 
to contain the correct packed two-digit 
decimal result. 



The precise definition of DAS is as follows: 

1. If the lower four bits of AL are greater 
than 9, or if the auxiliary carry flag is 1, 
then decrement AL by 6, and set the 
auxiliary carry flag. Otherwise, reset the 
auxiliary carry flag. 

2. If AL is now greater than 9FH, or if the 
carry flag is set, then decrement AL by 
60H, and set the carry flag. Otherwise, 
clear the carry flag. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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DEC — Decrement by 1 



Opcode Instruction Clocks Description 

FE /1 DEC eb 2,mem=7 Decrement EA byte by 1 

FF /1 DEC ew 2,mem=7 Decrement EA word by 1 

48+ rw DEC rw 2 Decrement word register by 1 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity 

FLAGS UNDEFINED 

None 

OPERATION 

1 is subtracted from the operand. Note that 
the carry flag is not changed by this instruc- 
tion. If you want the carry flag set, use the 
SUB instruction with a second operand of 1. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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DIV — Unsigned Divide 



Opcode 

F6 /6 
F7 /6 



Instruction Clocks Description 

DIV eb 14,mem=17 Unsigned divide AX by EA byte 

DIV ew 22,mem=25 Unsigned divide DX:AX by EA word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

OPERATION 

DIV performs an unsigned divide. The 
dividend is implicit; only the divisor is given 
as an operand. If the source operand is a 
BYTE operand, divide AX by the byte. The 
quotient is stored in AL, and the remainder 
is stored in AH. If the source operand is a 
WORD operand, divide DX:AX by the word. 
The high-order 16 bits of the dividend are 
kept in DX. The quotient is stored in AX, and 



the remainder is stored in DX. Non-integral 
quotients are truncated towards 0. The 
remainder is always less than the dividend. 

PROTECTED MODE EXCEPTIONS 

Interrupt if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is zero. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is zero. Interrupt 13 for a word 
operand at offset OFFFFH. 
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ENTER — Make Stack Frame for Procedure Parameters 



Opcode 

C8 dw 00 

C8 dw 01 

C8 dw db 



Instruction 

ENTER dw.O 
ENTER dwA 
ENTER dw.db 



Clocks 

11 
15 
12+4do 



Description 

Make stack frame for procedure parameters 
Make stack frame for procedure parameters 
Make stack frame for procedure parameters 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

ENTER is used to create the stack frame 
required by most block-structured high-level 
languages. The first operand specifies how 
many bytes of dynamic storage are to be 
allocated on the stack for the routine being 
entered. The second operand gives the lexical 
nesting level of the routine within the high- 
level-language source code. It determines how 
many stack frame pointers are copied into the 
new stack frame from the preceding frame. 
BP is used as the current stack frame pointer. 

If the second operand is 0, ENTER pushes 
BP, sets BP to SP, and subtracts the first 
operand from SP. 

For example, a procedure with 12 bytes of 
local variables would have an ENTER 12,0 
instruction at its entry point and a LEAVE 
instruction before every RET. The 12 local 



bytes would be addressed as negative offsets 
from [BP]. 

The formal definition of the ENTER instruc- 
tion for all cases is given by the following 
listing. LEVEL denotes the value of the 
second operand. 

LEVEL: = LEVELMOD32 

PushBP 

Set a temporary value FRAME_PTR := SP 

If LEVEL > then 

Repeat (LEVEL- 1) times: 
BP:=BP-2 
Push the word pointed to by BP 

End repeat 

Push FRAME.PTR 
End if 

BP := FRAME_PTR 
SP := SP - first operand. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if SP were to go outside of the stack 
limit within any part of the instruction 
execution. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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HLT— Halt 



Opcode 

F4 



Instruction 
HLT 



Clocks 
2 



Description 

Halt 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

Successful execution of HLT causes the iAPX 
286 to cease executing instructions and to 
enter a HALT state. Execution resumes only 
upon receipt of an enabled interrupt or a reset. 



If an interrupt is used to resume program 
execution after HLT, the saved CS:IP value 
will point to the instruction that follows HLT. 

PROTECTED MODE EXCEPTIONS 

HLT is a privileged instruction. #GP(0) if the 
current privilege level is not 0. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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IDIV— Signed Divide 



Opcode 

F6 /7 
F7 /7 



Instruction Clocks 

IDIV eb 17,mem=20 

IDIV ew 25,mem=28 



Description 

Signed divide AX by EA byte (AL=Quo, 

AH = Rem) 

Signed divide DX:AX by EA word (AX=Quo, 

DX=Rem) 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

OPERATION 

IDIV performs a signed divide. The dividend 
is implicit; only the divisor is given as an 
operand. If the source operand is a BYTE 
operand, divide AX by the byte. The quotient 
is stored in AL, and the remainder is stored 
in AH. If the source operand is a WORD 
operand, divide DX:AX by the word. The 
high-order 16 bits of the dividend are in DX. 
The quotient is stored in AX, and the 
remainder is stored in DX. Non-integral 



quotients are truncated towards 0. The 
remainder has the same sign as the dividend 
and always has less magnitude than the 
dividend. 

PROTECTED MODE EXCEPTIONS 

Interrupt if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is 0. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is 0. Interrupt 13 for a word operand 
at offset OFFFFH. 
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IMUL — Signed Multiply 



Opcode 




Instruction 


Clocks 




Description 




F6 


/5 




IMUL 


eb 


13 


mem = 


= 16 


Signed multiply (AX 


= AL X EA byte) 


F7 


/5 




IMUL 


ew 


21 


mem= 


=24 


Signed multiply (DXAX = AX X EA word) 


6B 


lr 


db 


IMUL 


rw.db 


21 


mem = 


=24 


Signed multiply imm 


byte into word reg. 


69 


/r 


dw 


IMUL 


rw.ew.dw 


21 


mem= 


=24 


Signed multiply (rw = 


= EA word X imm. word) 


6B 


lr 


db 


IMUL 


rw,ew,db 


21 


mem= 


=24 


Signed multiply (rw = 


= EA word X imm. byte) 



FLAGS MODIFIED 

Overflow, carry 

FLAGS UNDEFINED 

Sign, zero, auxiliary carry, parity 

OPERATION 

IMUL performs signed multiplication. If 
IMUL has a single byte source operand, then 
the source is multiplied by AL and the 16-bit 
signed result is left in AX. Carry and overflow 
are set to if AH is a sign extension of AL; 
they are set to 1 otherwise. 

If IMUL has a single word source operand, 
then the source operand is multiplied by AX 
and the 32-bit signed result is left in DX:AX. 
DX contains the high-order 16 bits of the 
product. Carry and overflow are set to if 
DX is a sign extension of AX; they are set to 
1 otherwise. 

If IMUL has three operands, then the second 
operand (an effective address word) is multi- 



plied by the third operand (an immediate 
word), and the 16 bits of the result are placed 
in the first operand (a word register). Carry 
and overflow are set to if the result fits in a 
signed word (between —32768 and +32767, 
inclusive); they are set to 1 otherwise. 

NOTE 

The low 16 bits of the product of a 16-bit 
signed multiply are the same as those of 
an unsigned multiply. The three operand 
IMUL instruction can be used for 
unsigned operands as well. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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IN — Input from Port 



Opcode 

E4 db 

EC 

E5 db 

ED 



Instruction 



IN 
IN 
IN 
IN 



AL,db 
AL.DX 
AX.db 
AX.DX 



Clocks 

5 
5 
5 
5 



Description 

Input byte from immediate port into AL 
Input byte from port DX into AL 
Input word from immediate port into AX 
Input word from port DX into AX 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

IN transfers a data byte or data word from 
the port numbered by the second operand into 
the register (AL or AX) given as the first 
operand. You can access any port from to 
65535 by placing the port number in the DX 
register then using an IN instruction with DX 
as the second parameter. These I/O instruc- 
tions can be shortened by using an 8-bit port 



I/O in the instruction. The upper 8 bits of the 
port address will be zero when an 8-bit port 
I/O is used. 

Intel has reserved I/O port addresses 00F8H 
to OOFFH; they should not be used. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is bigger 
(has less privilege) than IOPL, which is the 
privilege level found in the flags register. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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INC — Increment by 1 



Opcode Instruction Clocks Description 

FE /0 INC eb 2,mem=7 Increment EA byte by 1 

FF /0 INC ew 2,mem=7 Increment EA word by 1 

40+ rw INC rw 2 Increment word register by 1 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity 

FLAGS UNDEFINED 

None 

OPERATION 

1 is added to the operand. Note that the carry 
flag is not changed by this instruction. If you 
want the carry flag set, use the ADD instruc- 
tion with a second operand of 1. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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INS/INSB/INSW— Input from Port to String 



Opcode 

6C 
6D 
6C 
6D 



Instruction 

INS eo.DX 
INS ew.DX 
INSB 
INSW 



Clocks 

5 
5 
5 
5 



Description 

Input byte from port DX into ES:[DI] 
Input word from port DX into ES:[DI] 
Input byte from port DX into ES:[DI] 
Input word from port DX into ES:[DI] 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

INS transfers data from the input port 
numbered by the DX register to the memory 
byte or word at ES:DI. The memory operand 
must be addressable from the ES register; no 
segment override is possible. 

INS does not allow the specification of the 
port number as an immediate value. The port 
must be addressed through the DX register. 

After the transfer is made, DI is automati- 
cally advanced. If the direction flag is (CLD 
was executed), DI increments; if the direction 
flag is 1 (STD was executed), DI decrements. 
DI increments or decrements by 1 if a byte 
was moved; by 2 if a word was moved. 



INS can be preceded by the REP prefix for 
block input of CX bytes or words. Refer to 
the REP instruction for details of this 
operation. 

Intel has reserved I/O port addresses 00F8H 
to OOFFH; they should not be used. 

NOTE 

Not all input port devices can handle the 
rate at which this instruction transfers 
input data to memory. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if CPL > IOPL. #GP(0) if the desti- 
nation is in a non-writable segment. #GP(0) 
for an illegal memory operand effective 
address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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INT/INTO — Call to Interrupt Procedure 



Opcode 


Instruction 


Clocks (1) 


Description 


CC 


INT 3 


23(2) 


Interrupt 3 (trap to debugger) 


CC 


INT 3 


40 


Interrupt 3, protected mode, same privilege 


CC 


INT 3 


78 


Interrupt 3, protected mode, more privilege 


CC 


INT 3 


167 


Interrupt 3, protected mode, via task gate 


CD db 


INT db 


23<2) 


Interrupt numbered by immediate byte 


CD db 


INT db 


40 


Interrupt, protected mode, same privilege 


CD db 


INT db 


78 


Interrupt, protected mode, more privilege 


CD db 


INT db 


167 


Interrupt, protected mode, via task gate 


CE 


INTO 


24,noj=3<2) 


Interrupt 4 if overflow flag is 1 



(1) = Add one clock for each byte of the next instruction executed. 

(2) = (real mode) 



FLAGS UNDEFINED 

None 

FLAGS MODIFIED 

All if a task switch takes place; none if no 
task switch occurs. 

OPERATION 

The INT instruction generates via software a 
call to an interrupt procedure. The immedi- 
ate operand, from to 255, gives the index 
number into the Interrupt Descriptor Table 
of the interrupt routine to be called. In 
protected mode, the IDT consists of 8-byte 
descriptors; the descriptor for the interrupt 
invoked must indicate an interrupt gate, a trap 
gate, or a task gate. In real address mode, the 
IDT is an array of 4-byte long pointers at the 
fixed location 00000H. 

The INTO instruction is identical to the INT 
instruction except that the interrupt number 
is implicitly 4, and the interrupt is made only 
if the overflow flag of the iAPX 286 is on. 
The clock counts for the four forms of INT 



db are valid for INTO, with the number of 
clocks increased by 1 for the overflow flag 
test. . 

The first 32 interrupts are reserved by Intel 
for systems use. Some of these interrupts are 
exception handlers for internally-generated 
faults. Most of these exception handlers 
should not be invoked with the INT 
instruction. 

Generally, interrupts behave like far CALLs 
except that the flags register is pushed onto 
the stack before the return address. Interrupt 
procedures return via the IRET instruction, 
which pops the flags from the stack. 

In Real Address mode, INT pushes the flags, 
CS, and the return IP onto the stack in that 
order, then jumps to the long pointer indexed 
by the interrupt number. 

In Protected mode, the precise semantics of 
the INT instruction are given by the 
following listing: 



INTERRUPT 

Interrupt vector must be within IDT table limits else #GP (vector number X 8+2+EXT) 

Descriptor AR byte must indicate interrupt gate, trap gate, or task gate else #GP (vector number X 8+2+EXT) 

If INT instruction then gate descriptor DPL must be > CPL else #GP (vector number X 8+2+EXT) 
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Gate must be PRESENT else #NP (vector number X 8+2+ EXT) 
If TRAP GATE or INTERRUPT GATE: 

Examine CS selector and descriptor given in the gate descriptor- 
Selector must be non-null else #GP (EXT) 

Selector must be within its descriptor table limits else #GP (selector + EXT) 
Descriptor AR byte must indicate code segment else #GP (selector + EXT) 
Segment must be PRESENT else #NP (selector + EXT) 
If code segment is non-conforming and DPL < CPL then 
INTERRUPT TO INNER PRIVILEGE: 

Check selector and descriptor for new stack in current Task State Segment: 
Selector must be non-null else #GP(EXT) 

Selector index must be within its descriptor table limits else #TS (SS selector + EXT) 
Selector's RPL must equal DPL of code segment else #TS (SS selector+EXT) 
Stack segment DPL must equal DPL of code segment else #TS (SS selector+EXT) 
Descriptor must indicate writable data segment else #TS (SS selector+EXT) 
Segment must be PRESENT else #SS (SS selector+EXT) 
New stack must have room for 1 bytes else #SS(0) 
IP must be in CS limit else #GP(0) 
Load new SS and SP value from TSS 
Load new CS and IP value from gate 
Load CS descriptor 
Load SS descriptor 

Push long pointer to old stack onto new stack 
Push return address onto new stack 
Set CPL to new code segment DPL 
Set RPL of CS to CPL 

If INTERRUPT GATE then set the Interrupts Enabled Flag to (disabled) 
Set the Trap Flag to 
Set the Nested Task Flag to 
If code segment is conforming or code segment DPL = CPL then 
INTERRUPT TO SAME PRIVILEGE LEVEL: 

Current stack limits must allow pushing 6 bytes else #SS(0) 
If interrupt was caused by fault with error code then 

Stack limits must allow push of two more bytes else #SS(0) 
IP must be in CS limit else #GP(0) 
Push flags onto stack 
Push current CS selector onto stack 
Push return offset onto stack 
Load CS.-IP from gate 
Load CS descriptor 
Set the RPL field of CS to CPL 
Push error code (if any) onto stack 

If INTERRUPT GATE then set the Interrupts Enabled Flag to (disabled) 
Set the Trap Flag to 
Set the Nested Task Flag to 

Else #GP (CS selector + EXT) 

If TASK GATE: 

Examine selector to TSS, given in Task Gate descriptor: 

Must specify global in the local/global bit else #GP (TSS selector) 

Index must be within GDT limits else #GP (TSS selector) 

AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 

Task State Segment must be PRESENT else #NP (TSS selector) 
SWITCHJTASKS with nesting to TSS 
If interrupt was caused by fault with error code then 

Stack limits must allow push of two more bytes else #SS(0) 

Push error code onto stack 
IP must be in CS limit else #GP(0) 
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NOTE 

EXT is 1 if an external event (i.e., a single 
step, an external interrupt, an MF excep- 
tion, or an MP exception) caused the 
interrupt; if not (i.e., an INT instruc- 
tion or other exceptions). 



PROTECTED MODE EXCEPTIONS 

#GP, #NP, #SS, and #TS, as indicated in the 
list above. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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IRET — Interrupt Return 



Opcode 

CF 
CF 
CF 



Instruction Clocks* Description 

IRET 17,pm=31 Interrupt return (far return arid pop flags) 

IRET 55 Interrupt return, lesser privilege 

IRET 169 Interrupt return, different task (NT=1) 



*Add one clock for each byte in the next instruction executed. 



FLAGS MODIFIED 

Entire flags register popped from stack 

FLAGS UNDEFINED 

None 

OPERATION 

In real address mode, IRET pops IP, CS, and 
FLAGS from the stack and resumes the 
interrupted routine. 

In protected mode, the action of IRET 
depends on the setting of the Nested Task 
Flag (NT). 



If NT=0, IRET returns from an interrupt 
procedure without a task switch. The code 
returned to must be equally or less privileged 
than the interrupt routine. 

If NT=1, IRET reverses the operation of a 
CALL or INT that caused a task switch. The 
task executing IRET has its updated state 
saved in its Task State Segment. This means 
that if the task is re-entered, the code that 
follows IRET will be executed. 

The exact checks and actions performed by 
IRET in protected mode are given on the 
following page. 
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INTERRUPT RETURN: 

If Nested Task Flag = 1 then 

RETURN FROM NESTED TASK: 

Examine Back Link Selector in TSS addressed by the current Task Register: 
Must specify global in the local/global bit else #TS (new TSS selector) 
Index must be within GDT limits else #TS (new TSS selector) 
AR byte must specify TSS else #TS (new TSS selector) 
New TSS must be busy else #TS (new TSS selector) 
Task State Segment must be PRESENT else #NP (new TSS selector) 
SWITCH_TASKS without nesting to TSS specified by back link selector 
Mark the task just abandoned as NOT BUSY 
IP must be in code segment limit else #GP(0) 

If Nested Task Flag=0 then 

INTERRUPT RETURN ON STACK: 

Second word on stack must be within stack limits else #SS(0) 
Return CS selector RPL must be > CPL else #GP (Return selector) 
If return selector RPL = CPL then 

INTERRUPT RETURN TO SAME LEVEL: 

Top 6 bytes on stack must be within limits else #SS(0) 

Return CS selector (at SP+2) must be non-null else #GP(0) 

Selector index must be within its descriptor table limits else #GP( Return selector) 

AR byte must indicate code segment else #GP (Return selector) 

If non-conforming then code segment DPL must = CPL else #GP (Return selector) 

If conforming then code segment DPL must be < CPL else #GP (Return selector) 

Segment must be PRESENT else #NP (Return selector) 

IP must be in code segment limit else #GP(0) 

Load CS:IP from stack 

Load CS-cache with new code segment descriptor 

Load flags with third word on stack 

Increment SP by 6 
Else 

INTERRUPT RETURN TO OUTER PRIVILEGE LEVEL: 
Top 10 bytes on stack must be within limits else #SS(0) 
Examine return CS selector (at SP+2) and associated descriptor: 

Selector must be non-null else #GP(0) 

Selector index must be within its descriptor table limits else #GP (Return selector) 

AR byte must indicate code segment else #GP (Return selector) 

If non-conforming then code segment DPL must = CS selector RPL else #GP (Return selector) 

If conforming then code segment DPL must be > CPL else #GP (Return selector) 

Segment must be PRESENT else #NP (Return selector) 
Examine return SS selector (at SP+8) and associated descriptor: 

Selector must be non-null else #GP(0) 

Selector index must be within its descriptor table limits else #GP (SS selector) 

Selector RPL must equal the RPL of the return CS selector else #GP (SS selector) 

AR byte must indicate a writable data segment else #GP (SS selector) 

Stack segment DPL must equal the RPL of the return CS selector else #GP (SS selector) 

SS must be PRESENT else #NP (SS selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from stack 
Load flags with values at (SP+4) 
Load SS:SP from stack 
Set CPL to the RPL of the return CS selector 
Load the CS-cache with the CS descriptor 
Load the SS-cache with the SS descriptor 
For each of ES and DS: 

If the current register setting is not valid for the outer level, then zero the register and 
clear the valid flag 

To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits 
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AR byte must indicate data or readable code segment 
If segment is data or non-conforming code, then: 
DPL must be > CPL, or 
DPL must be > RPL 

PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS 

#GP, #NP, or #SS, as indicated in the above Interrupt 13 if the stack is popped when it 

listing. has offset OFFFFH. 
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Jcond — Jump Short If Condition Met 



Opcode 


Instruction 


Clocks* 


Description 


77 


cb 


JA cb 


7,noj=3 


Jump short if above (CF=0 and ZF=0) 


73 


cb 


JAE cb 


7,noj=3 


Jump short if above or equal (CF=0) 


72 


cb 


JB cb 


7,noj=3 


Jump short if below (CF=1) 


76 


cb 


JBE cb 


7,noj=3 


Jump short if below or equal (CF=1 orZF=1) 


72 


cb 


JC cb 


7,noj=3 


Jump short if carry (CF=1) 


E3 


cb 


JCXZ cb 


8,noj=4 


Jump short if CX register is zero 


74 


cb 


JE cb 


7,noj=3 


Jump short if equal (ZF= 1 ) 


7F 


cb 


JG cb 


7,noj=3 


Jump short if greater (ZF=0 and SF=OF) 


7D 


cb 


JGE cb 


7,noj=3 


Jump short if greater or equal (SF=OF) 


7C 


cb 


JL cb 


7,noj=3 


Jump short if less (SF/=OF) 


7E 


cb 


JLE cb 


7,noj=3 


Jump short if less or equal (ZF=1 or SF/=OF) 


76 


cb 


JNA ob 


7,noj=3 


Jump short if not above (CF=1 orZF=1) 


72 


cb 


JNAE cb 


7,noj=3 


Jump short if not above/equal (CF=1) 


73 


cb 


JNB cb 


7,noj=3 


Jump short if not below (CF=0) 


77 


cb 


JNBE cb 


7,noj=3 


Jump short if not below/equal (CF=0 and 

ZF=0) 

Jump short if not carry (CF=0) 


73 


cb 


JNC cb 


7,noj=3 


75 


cb 


JNE cb 


7,noj=3 


Jump short if not equal (ZF=0) 


7E 


cb 


JNG cb 


7,noj=3 


Jump short if not greater (ZF=1 or SF/=OF) 


7C 


cb 


JNGE cb 


7,noj=3 


Jump short if not greater/equal (SF/=OF) 


7D 


cb 


JNL cb 


7,noj=3 


Jump short if not less (SF=OF) 


7F 


cb 


JNLE cb 


7,noj=3 


Jump short if not less/equal (ZF=0 and 
SF=OF) 


71 


cb 


JNO cb 


7,noj=3 


Jump short if not overflow (OF=0) 


7B 


cb 


JNP cb 


7,noj=3 


Jump short if not parity (PF=0) 


79 


cb 


JNS cb 


7,noj=3 


Jump short if not sign (SF=0) 


75 


cb 


JNZ cb 


7,noj=3 


Jump short if not zero (ZF=0) 


70 


cb 


JO cb 


7,noj=3 


Jump short if overflow (OF= 1 ) 


7A 


cb 


JP cb 


7,noj=3 


Jump short if parity (PF=1) 


7A 


cb 


JPE cb 


7,noj=3 


Jump short if parity even (PF=1) 


7B 


cb 


JPO cb 


7,noj=3 


Jump short if parity odd (PF=0) 


78 


cb 


JS cb 


7,noj=3 


Jump short if sign (SF=1) 


74 


cb 


JZ cb 


7,noj=3 


Jump short if zero (ZF=1) 



*When a jump is taken, add one clock for every byte of the next instruction executed. 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

Conditional jumps (except for JCXZ, 
explained below) test the flags, which 
presumably have been set in some meaning- 
ful way by a previous instruction. The condi- 
tions for each mnemonic are given in 
parentheses after each description above. The 



terms "less" and "greater" are used for 
comparing signed integers; "above" and 
"below" are used for unsigned integers. 

If the given condition is true, then a short 
jump is made to the label provided as the 
operand. The operand must be in the range 
from 1 26 bytes before the instruction to 1 27 
bytes beyond the instruction. This range is 
necessary for the assembler to construct a one- 
byte signed displacement from the end of the 
current instruction. If the label is out-of- 
range, or if the label is a FAR label, then you 
must perform a jump with the opposite 
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condition around an unconditional jump to the 
non-short label. 

Because there are, in many instances, several 
ways to interpret a particular state of the 
flags, ASM286 provides more than one 
mnemonic for most of the conditional jump 
opcodes. For example, consider that a 
programmer who has just compared a 
character to another in AL might wish to 
jump if the two were equal (JE), while 
another programmer who had just ANDed 
AX with a bit field mask would prefer to 
consider only whether the result was zero or 
not (he would use JZ, a synonym for JE). 

JCXZ differs from the other conditional 
jumps in that it actually tests the contents of 
the CX register for zero, rather than interro- 



gating the flags. This instruction is useful 
following a conditionally repeated string 
operation (REPE SCASB, for example) or a 
conditional loop instruction (such as 
LOOPNE TARGETLABEL). These 
instructions implicitly use a limiting count in 
the CX register. Looping (repeating) ends 
when either the CX register goes to zero or 
the condition specified in the instruction (flags 
indicating equals in both of the above cases) 
occurs. JCXZ is useful when the termina- 
tions must be handled differently. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the offset jumped to is beyond the 
limits of the code segment. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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JMP — Jump 



Opcode 


Instruction 


Clocks* 


Description 


EB cb 


JMP cb 


7 


Jump short 


EA cd 


JMP cd 


180 


Jump to task gate 


E9 cw 


JMP civ 


7 


Jump near 


EA cd 


JMP cd 


11,pm=23 


Jump far (4-byte immediate address) 


EA cd 


JMP cd 


38 


Jump to call gate, same privilege 


EA cd 


JMP cd 


175 


Jump via Task State Segment 


FF /4 


JMP ew 


7,mem=11 


Jump near to EA word (absolute offset) 


FF /5 


JMP md 


15,pm=26 


Jump far (4-byte address in memory double- 
word) 


FF /5 


JMP md 


41 


Jump to call gate, same privilege 


FF /5 


JMP md 


178 


Jump via Task State Segment 


FF /5 


JMP md 


183 


Jump to task gate 



*Add one clock for every byte of the next instruction executed. 



FLAGS MODIFIED 

All if a task switch takes place; none if no 
task switch occurs. 

FLAGS UNDEFINED 

None 

OPERATION 

The JMP instruction transfers program 
control to a different instruction stream 
without recording any return information. 

For inter-segment jumps, the destination can 
be a code segment, a call gate, a task gate, or 
a Task State Segment. The latter two desti- 
nations cause a complete task switch to take 
place. 

Control transfers within a segment use the 
JMP cw or JMP cb forms. The operand is a 
relative offset added modulo 65536 to the 
offset of the instruction that follows the JMP. 
The result is the new value of IP; the value of 
CS is unchanged. The byte operand is sign- 
extended before it is added; it can therefore 
be used to address labels within 128 bytes in 
either direction from the next instruction. 



Indirect jumps within a segment use the JMP 
ew form. The contents of the register or 
memory operand is an absolute offset, which 
becomes the new value of IP. Again, CS is 
unchanged. 

Inter-segment jumps in real address mode 
simply set IP to the offset part of the long 
pointer and set CS to the selector part of the 
pointer. 



In protected mode, inter-segment jumps cause 
the iAPX 286 to consult the descriptor 
addressed by the selector part of the long 
pointer. The AR byte of the descriptor deter- 
mines the type of the destination. (See table 
B-3 for possible values of the AR byte.) 
Following are the possible destinations: 

1. Code segment — The addressability and 
visibility of the destination are verified, 
and CS and IP are loaded with the desti- 
nation pointer values. 

2. Call gate — The offset part of the desti- 
nation pointer is ignored. After checking 
for validity, the processor jumps to the 
location stored in the call gate descriptor. 
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3. Task gate — The current task's state is 4. TSS — The current task is suspended and 
saved in its Task State Segment (TSS), the new task is initiated as in 3 above 

and the TSS named in the task gate is except that there is no intervening gate, 

used to load a new context. The outgoing 
task is marked not busy, the new TSS is 
marked busy, and execution resumes at 

the point at which the new task was last Following is the list of checks and actions 

suspended. taken for long jumps in protected mode: 

JUMP FAR: 

If indirect then check access of EA doubleword #GP(0) or #SS(0) if limit violation 
Destination selector is not null else #GP(0) 

Destination selector index is within its descriptor table limits else #GP (selector) 
Examine AR byte of destination selector for legal values: 

JUMP CONFORMING CODE SEGMENT: 

Descriptor DPL must be > CPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from destination pointer 
Load CS-cache with new segment descriptor 
Set RPL field of CS register to CPL 

JUMP NONCONFORMING CODE SEGMENT: 

RPL of destination selector must be < CPL else #GP (selector) 

Descriptor DPL must = CPL else #GP (selector) 

Segment must be PRESENT else #NP (selector) 

IP must be in code segment limit else #GP(0) 

Load CS:IP from destination pointer 

Load CS-cache with new segment descriptor 

Set RPL field of CS register to CPL 

JUMP TO CALL GATE: 

Descriptor DPL must be > CPL else #GP (gate selector) 

Descriptor DPL must be > gate selector RPL else #GP (gate selector) 

Gate must be PRESENT else #NP (gate selector) 

Examine selector to code segment given in call gate descriptor: 

Selector must not be null else #GP(0) 

Selector must be within its descriptor table limits else #GP (CS selector) 

Descriptor AR byte must indicate code segment else #GP (CS selector) 

If non-conforming, code segment descriptor DPL must = CPL else #GP (CS selector) 

If conforming, then code segment descriptor DPL must be < CPL else #GP (CS selector) 

Code Segment must be PRESENT else #NP (CS selector) 

IP must be in code segment limit else #GP(0) 

Load CS:IP from call gate 
Load CS-cache with new code segment 
Set RPL of CS to CPL 

JUMP TASK GATE: 

Gate descriptor DPL must be > CPL else #GP (gate selector) 

Gate descriptor DPL must be > gate selector RPL else #GP (gate selector) 

Task Gate must be PRESENT else #NP (gate selector) 

Examine selector to TSS, given in Task Gate descriptor: 

Must specify global in the local/global bit else #GP (TSS selector) 

Index must be within GDT limits else #GP (TSS selector) 

Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 

Task State Segment must be PRESENT else #NP (TSS selector) 
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SWITCH_TASKS without nesting to TSS 
IP must be in code segment limit else #GP(0) 

JUMP TASK STATE SEGMENT: 

TSS DPL must be > CPL else #GP (TSS selector) 

TSS DPL must be > TSS selector RPL else #GP (TSS selector) 

Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 

Task State Segment must be PRESENT else #NP (TSS selector) 

SWITCH_TASKS with nesting to TS. 

IP must be in code segment limit else #GP(0) 

Else GP (selector) 

PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS 

For NEAR jumps, #GP(0) if the destination #UD if indirect inter-segment jump operand 

offset is beyond the limits of the current code is a register, 

segment. For FAR jumps, #GP, #NP, #SS, 
and #TS, as indicated above. #UD if indirect 
inter-segment jump operand is a register. 
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LAHF — Load Flags into AH Register 



Opcode 

9F 



Instruction 
LAHF 



Clocks 
2 



Description 

Load: AH = flags SF ZF xx AF xx PF xx CF 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The low byte of the flags word is transferred 
to AH. The bits, from top to bottom, are as 



follows: sign, zero, indeterminate, auxiliary 
carry, indeterminate, parity, indeterminate, 
and carry. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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LAR — Load Access Rights Byte 



Opcode Instruction Clocks Description 

OF 02 /r LAR rw.ew 14,mem=16 Load: high(rw)= Access Rights byte.selector 

ew 



FLAGS MODIFIED 

Zero 

FLAGS UNDEFINED 

None 

OPERATION 

LAR expects the second operand (memory or 
register word) to contain a selector. If the 
associated descriptor is visible at the current 
privilege level and at the selector RPL, then 
the access rights byte of the descriptor is 
loaded into the high byte of the first (regis- 
ter) operand, and the low byte is set to zero. 
The zero flag is set if the loading was 
performed (i.e., the selector index is within the 



table limit, descriptor DPL >: CPL, and 
descriptor DPL > selector RPL); the zero 
flag is cleared otherwise. 

Selector operands cannot cause protection 
exceptions. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTION 
INTERRUPT 6; LAR is unrecognized in 
Real Address mode. 
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LDS/LES — Load Doubleword Pointer 



Opcode 

C5 /r 
C4 \r 



Instruction Clocks 

LDS rw,ed 7,pm=21 

LES rw.ed 7,pm=21 



Description 

Load EA doubleword into DS and word 

register 

Load EA doubleword into ES and word 

register 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The four-byte pointer at the memory location 
indicated by the second operand is loaded into 
a segment register and a word register. The 
first word of the pointer (the offset) is loaded 
into the register indicated by the first operand. 
The last word of the pointer (the selector) is 
loaded into the segment register (DS or ES) 
given by the instruction opcode. 



When the segment register is loaded, its 
associated cache is also loaded. The data for 
the cache is obtained from the descriptor table 
entry for the selector given. 

A null selector (values 0000-0003) can be 
loaded into DS or ES without a protection 
exception. Any memory reference using such 
a segment register value will cause a #GP(0) 
exception but will not result in a memory 
reference. The saved segment register value 
will be null. 

Following is a list of checks and actions taken 
when loading the DS or ES registers: 



If selector is non-null then: 

Selector index must be within its descriptor table limits else #GP (selector) 
Examine descriptor AR byte: 

Data segment or readable non-conforming code segment 
Descriptor DPL > CPL else #GP (selector) 
Descriptor DPL > selector RPL else #GP (selector) 

Readable conforming code segment 
No DPL, RPL, or CPL checks 

Else #GP (selector) 

Segment must be present else #NP (selector) 

Load registers from operand 

Load segment register descriptor cache 

If selector is null then: 

Load registers from operand 

Mark segment register cache as invalid 
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PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS 

#GP or #NP, as indicated in the list above. Interrupt 13 for operand at offset OFFFFH 

#GP(0) or #SS(0) if operand lies outside or OFFFDH. #UD if the source operand is a 

segment limit. #UD if the source operand is register, 
a register. 
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LEA — Load Effective Address Offset 



Opcode 

8D /r 



Instruction 

LEA rw,m 



Clocks 
3 



Description 

Calculate EA offset given by m, place in rw 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The effective address (offset part) of the 



second operand is placed in the first (regis- 
ter) operand. 

PROTECTED MODE EXCEPTIONS 

#UD if second operand is a register. 

REAL ADDRESS MODE EXCEPTIONS 

#UD if second operand is a register. 
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LEAVE — High Level Procedure Exit 



Opcode 


Instruction 


Clocks 


C9 


LEAVE 


5 


FLAGS MODIFIED 






None 






FLAGS UNDEFINED 






None 







Description 

Set SP to BP, then POP BP 



OPERATION 

LEAVE is the complementary operation to 
ENTER; it reverses the effects of that 
instruction. By copying BP to SP, LEAVE 
releases the stack space used by a procedure 
for its dynamics and display. The old frame 
pointer is now popped into BP, restoring the 



caller's frame, and a subsequent RET nn 
instruction will follow the back-link and 
remove any arguments pushed on the stack 
for the exiting procedure. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if BP does not point to a location 
within the current stack segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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LGDT/LIDT — Load Global/Interrupt 

Descriptor Table Register 



Opcode 

OF 01 /2 
OF 01 /3 



Instruction 

LGDT m 
LIDT m 



Clocks 

11 
12 



Description 

Load m into Global Descriptor Table reg 
Load m into Interrupt Descriptor Table reg 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The Global or the Interrupt Descriptor Table 
Register is loaded from the six bytes of 
memory pointed to by the effective address 
operand. The LIMIT field of the descriptor 
table register loads from the first word; the 
next three bytes go to the BASE field of the 
register; the last byte is ignored. 

LGDT and LIDT appear in operating systems 
software; they are not used in application 
programs. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is not 0. 

#UD if source operand is a register. 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

These instructions are valid in Real Address 
mode to allow the power-up initialization for 
Protected mode. 

Interrupt 13 for a word operand at offset 
OFFFFH. #UD if source operand is a 
register. 
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LLDT — Load Local Descriptor Table Register 



Opcode 




Instruction 


Clocks 


Description 


OF 00 


/2 


LLDT ew 


17,mem=19 


Load selector ew into Local Descriptor Table 
register 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The word operand (memory or register) to 
LLDT should contain a selector pointing to 
the Global Descriptor Table. The GDT entry 
should be a Local Descriptor Table. If so, then 
the Local Descriptor Table Register is loaded 
from the entry. The descriptor cache entries 
for DS, ES, SS, and CS are not affected. The 
LDT field in the TSS is not changed. 

The selector operand is allowed to be zero. In 
that case, the Local Descriptor Table Regis- 
ter is marked invalid. All descriptor refer- 



ences (except by LAR, VERR, VERW or 
LSL instructions) will cause a #GP fault. 

LLDT appears in operating systems software; 
it does not appear in applications programs. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is not 0. 
#GP (selector) if the selector operand does not 
point into the Global Descriptor Table, or if 
the entry in the GDT is not a Local Descrip- 
tor Table. #NP (selector) if LDT descriptor 
is not present. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6; LLDT is not recognized in Real 
Address Mode. 
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LMSW — Load Machine Status Word 



Opcode 

OF 01 /6 



Instruction 

LMSW ew 



Clocks 

3,mem=6 



Description 

Load EA word into Machine Status Word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The Machine Status Word is loaded from the 
source operand. This instruction may be used 
to switch to protected mode. If so, then it 
must be followed by an intra-segment jump 
to flush the instruction queue. LMSW will not 
switch back to Real Address Mode. 



LMSW appears only in operating systems 
software. It does not appear in applications 
programs. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is not 0. 
#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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LOCK — Assert BUS LOCK Signal 



Opcode 
FO 



Instruction 
LOCK 



Clocks 





Description 

Assert BUSLOCK signal for the next 
instruction 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

LOCK is a prefix that will cause the BUS 
LOCK signal of the iAPX 286 to be asserted 
for the duration of the instruction which it 
precedes. In a multiprocessor environment, 
this signal should be used to ensure that the 
iAPX 286 has exclusive use of any shared 
memory while BUS LOCK is asserted. The 
read-modify-write sequence typically used to 
implement TEST-AND-SET in the iAPX 286 
is the XCHG instruction. XCHG always 
asserts BUS LOCK regardless of the presence 
or absence of the LOCK prefix. 



The LOCK prefix does not lock all bus cycles 
of all instructions. The bus will not remain 
locked for all bus cycles while creating the 
following instructions with multi-word 
operands: CMPS, SCAS, STOS, LODS, 
PUSHA, POPA, CALL, RET, IRET, 
ENTER, BOUND, PUSH, POP, and any 
ESC. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is bigger 
(less privileged) than the I/O privilege level. 

Other exceptions may be generated by the 
subsequent (locked) instruction. 

REAL ADDRESS MODE EXCEPTIONS 

None. Exceptions may still be generated by 
the subsequent (locked) instruction. 
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LODS/LODSB/LODSW— Load String Operand 



Opcode 

AC 
AD 
AC 
AD 



Instruction 

LODS mb 
LODS mw 
LODSB 
LODSW 



Clocks 

5 
5 
5 
5 



Description 

Load byte [SI] into AL 
Load byte [SI] into AL 
Load byte DS:[SI] into AL 
Load byte DS:[SI] into AL 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

LODS loads the AL or AX register with the 
memory byte or word at SI. After the trans- 
fer is made, SI is automatically advanced. If 
the direction flag is (CLD was executed), 
SI increments; if the direction flag is 1 (STD 
was executed), SI decrements. SI increments 



or decrements by 1 if a byte was moved; by 2 
if a word was moved. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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LOOP/LOOPcond — Loop Control with CX Counter 



Opcode 


Instruction 


Clocks 


Description 


E2 cb 


LOOP cb 


8,noj=4 


DEC CX; jump short if CX^O 


E1 cb 


LOOPE cb 


8,noj=4 


DEC CX; jump short if CX#0 and equal (ZF=1) 


EO cb 


LOOPNE cb 


8,noj=4 


DEC CX; jump short if CX^O and not equal 
(ZF=0) 


EO cb 


LOOPNZ cb 


8,noj=4 


DEC CX; jump short if CX^O and ZF=0 


E1 cb 


LOOPZ cb 


8,noj=4 


DEC CX; jump short if CX * and zero (ZF= 1 ) 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

LOOP first decrements the CX register 
without changing any of the flags. Then, 
conditions are checked as given in the 
description above for the form of LOOP being 
used. If the conditions are met, then an intra- 
segment jump is made. The destination to 
LOOP is in the range from 126 (decimal) 
bytes before the instruction to 127 bytes 
beyond the instruction. 



The LOOP instructions are intended to 
provide iteration control and to combine loop 
index management with conditional branch- 
ing. To use the LOOP instruction you load an 
unsigned iteration count into CX, then code 
the LOOP at the end of a series of instruc- 
tions to be iterated. The destination of LOOP 
is a label that points to the beginning of the 
iteration. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the offset jumped to is beyond the 
limits of the current code segment. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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LSL — Load Segment Limit 



Opcode Instruction Clocks Description 

OF 03 jr LSL rw,ew 14,mem=16 Load: rw = Segment Limit, selector ew 



FLAGS MODIFIED 

Zero 

FLAGS UNDEFINED 

None 

OPERATION 

If the descriptor denoted by the selector in the 
second (memory or register) operand is visible 
at the CPL, a word that consists of the limit 
field of the descriptor is loaded into the left 
operand, which must be a register. The value 
is the limit field for that segment. The zero 
flag is set if the loading was performed (that 
is, if the selector is non-null, the selector index 
is within the descriptor table limits, the 
descriptor is a non-conforming segment 
descriptor with DPL > CPL, and the 
descriptor DPL > selector RPL); the zero 
flag is cleared otherwise. 



The LSL instruction returns only the limit 
field of segments, task state segments, and 
local descriptor tables. The interpretation of 
the limit value depends on the type of 
segment. 

The selector operand's value cannot result in 
a protection exception. 



PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6; LSL is not recognized in Real 
Address mode. 
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LTR — Load Task Register 



Opcode Instruction Clocks Description 

OF 00 /3 LTR ew 17,mem = 19 Load EA word into Task Register 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The Task Register is loaded from the source 
register or memory location given by the 
operand. The loaded TSS is marked busy. A 
task switch operation does not occur. 

LTR appears only in operating systems 
software. It is not used in applications 
programs. 



PROTECTED MODE EXCEPTIONS 

#GP for an illegal memory operand effective 
address in the CS, DS, or ES segments; #SS 
for an illegal address in the SS segment. 

#GP(0) if the current privilege level is not 0. 
#GP (selector) if the object named by the 
source selector is not a TSS or is already busy. 
#NP (selector) if the TSS is marked not 
present. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6; LTR is not recognized in Real 

Address mode. 
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MOV — Move Data 



Opcode 


Instruction 


Clocks 


Description 


88 


\r 


MOV eb.rb 


2,mem=3 


Move byte register into EA byte 


89 


/r- 


MOV ew.rw 


2,mem=3 


Move word register into EA word 


8A 


/r 


MOV rb,eb 


2,mem=5 


Move EA byte into byte register 


8B 


/r 


MOV rw,ew 


2,mem=5 


Move EA word into word register 


8C 


/o 


MOV ew.ES 


2,mem=3 


Move ES into EA word 


8C 


/1 


MOV ew.CS 


2,mem=3 


Move CS into EA word 


8C 


/2 


MOV ew.SS 


2,mem=3 


Move SS into EA word 


8C 


/3 


MOV ew,DS 


2,mem=3 


Move DS into EA word 


8E 


/o 


MOV ES.mw 


5,pm = 19 


Move memory word into ES 


8E 


/o 


MOV ES.rw 


2,pm = 17 


Move word register into ES 


8E 


/2 


MOV SS.mw 


5,pm = 19 


Move memory word into SS 


8E 


/2 


MOV SS.rw 


2,pm = 17 


Move word register into SS 


8E 


/3 


MOV DS, mw 


5,pm = 19 


Move memory word into DS 


8E 


/3 


MOV DS.nv 


2,pm = 17 


Move word register into DS 


AO 


dw 


MOV AL.xb 


5 


Move byte variable (offset dw) into AL 


A1 


dw 


MOV AX.xw 


5 


Move word variable (offset dw) into AX 


A2 


dw 


MOV xb,AL 


3 


Move AL into byte variable (offset dw) 


A3 


dw 


MOV xw.AX 


3 


Move AX into word register (offset dw) 


B0+ 


rb db 


MOV rb,db 


2 


Move immediate byte into byte register 


B8+ 


rw dw 


MOV rw,dw 


2 


Move immediate word into word register 


C6 


/0 db 


MOV eb.db 


2,mem=3 


Move immediate byte into EA byte 


C7 


/0 dw 


MOV ew.dw 


2,mem=3 


Move immediate word into EA word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The second operand is copied to the first 
operand. 

If the destination operand is a segment regis- 
ter (DS, ES, or SS), then the associated 
segment register cache is also loaded. The 
data for the cache is obtained from the 
descriptor table entry for the selector given. 



A null selector (values 0000-0003) can be 
loaded into DS and ES registers without 
causing a protection exception. Any use of a 
segment register with a null selector to 
address memory will cause #GP(0) excep- 
tion. No memory reference will occur. 

Any move into SS will inhibit all interrupts 
until after the execution of the next 
instruction. 

Following is a listing of the protected-mode 
checks and actions taken in the loading of a 
segment register: 



If SS is loaded: 

If selector is null then #GP(0) 

Selector index must be within its descriptor table limits else #GP (selector) 

Selector's RPL must equal CPL else #GP (selector) 

AR byte must indicate a writable data segment else #GP (selector) 

DPL in the AR byte must equal CPL else #GP (selector) 

Segment must be marked PRESENT else #SS (selector) 

Load SS with selector 
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Load SS cache with descriptor 
If ES or DS is loaded with non-null selector 

Selector index must be within its descriptor table limits else #GP (selector) 

AR byte must indicate data or readable code segment else #GP (selector) 

If data or non-conforming code, then both the RPL and the 

CPL must be less than or equal to DPL in AR byte else #GP (selector) 

Segment must be marked PRESENT else #NP (selector) 
Load segment register with selector 
Load segment register cache with descriptor 
If ES or DS is loaded with a null selector: 

Load segment register with selector 

Clear descriptor valid bit 



PROTECTED MODE EXCEPTIONS 

If a segment register is being loaded, #GP, 
#SS, and #NP, as described in the listing 
above. 

Otherwise, #GP(0) if the destination is in a 
non-writable segment. #GP(0) for an illegal 



memory operand effective address in the CS, 
DS, or ES segments; #SS(0) for an illegal 
address in the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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MOVS/MOVSB/MOVSW— Move Data from String 

to String 



Opcode 

A4 
A5 
A4 
A5 



Instruction 

MOVS mb.mb 
MOVS mw.mw 
MOVSB 
MOVSW 



Clocks 

5 
5 
5 
5 



Description 

Move byte [SI] to ES:[DI] 
Move word [SI] to ES:[DI] 
Move byte DS:[SI] to ES:[DI] 
Move word DS:[SI] to ES:[DI] 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

MOVS copies the byte or word at [SI] to the 

byte or word at ES:[DI]. The destination 

operand must be addressable from the ES 

register; no segment override is possible. A 

segment override may be used for the source 

operand. 

After the data movement is made, both SI and 
DI are automatically advanced. If the direc- 
tion flag is (CLD was executed), the regis- 
ters increment; if the direction flag is 1 (STD 
was executed), the registers decrement. The 



registers increment or decrement by 1 if a 
byte was moved; by 2 if a word was moved. 

MOVS can be preceded by the REP prefix 
for block movement of CX bytes or words. 
Refer to the REP instruction for details of this 
operation. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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MUL — Unsigned Multiplication of AL or AX 



Opcode 

F6 /4 
F7 /4 



Instruction Clocks Description 

MUL eb 13,mem = 16 Unsigned multiply (AX = AL X EA byte) 

MUL ew 21, mem =24 Unsigned multiply (DXAX = AX X EA word) 



FLAGS MODIFIED 

Overflow, carry 

FLAGS UNDEFINED 

Sign, zero, auxiliary carry, parity 

OPERATION 

If MUL has a byte operand, then the byte is 
multiplied by AL, and the result is left in AX. 
Carry and overflow are set to if AH is 0; 
they are set to 1 otherwise. 

If MUL has a word operand, then the word 
is multiplied by AX, and the result is left in 



DX:AX. DX contains the high order 16 bits 
of the product. Carry and overflow are set to 
if DX is 0; they are set to 1 otherwise. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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NEG— 'Two's Complement Negation 



Opcode 

F6 /3 
F7 /3 



Instruction Clocks Description 

NEG eb 2,mem=7 Two's complement negate EA byte 

NEG ew 2,mem=7 Two's complement negate EA word 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

FLAGS UNDEFINED 

None 

OPERATION 

The two's complement of the register or 
memory operand replaces the old operand 
value. Likewise, the operand is subtracted 
from zero, and the result is placed in the 
operand. 



The carry flag is set to 1 except when the 
input operand is zero, in which case the carry 
flag is cleared to 0. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the GS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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NOP— No OPERATION 



Opcode 
90 



Instruction 
NOP 



Clocks 
3 



Description 

No OPERATION 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

Performs no operation. NOP is a one-byte 



filler instruction that takes up space but 
affects none of the machine context except IP. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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NOT — One's Complement Negation 



Opcode 

F6 /2 
F7 /2 



Instruction Clocks Description 

NOT eb 2,mem=7 Reverse each bit of EA byte 

NOT ew 2 I mem=7 Reverse each bit of EA word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The operand is inverted; that is, every 1 
becomes a and vice versa. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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OR — Logical Inclusive OR 



Opcode 




Instruction 


Clocks 


08 fr 




OR eb.rb 


2,mem=7 


09 \r 




OR ew,rw 


2,mem=7 


0A \r 




OR rb.eb 


2,mem=7 


OB /r 




OR rvv.eiv 


2,mem=7 


0C db 




OR AL.cto 


3 


OD dw 




OR AX.chv 


3 


80 /1 


db 


OR eb,db 


3,mem=7 


81 /1 


dw 


OR ew.dw 


3,mem=7 



Description 

Logical-OR byte register into EA byte 
Logical-OR word register into EA word 
Logical-OR EA byte into byte register 
Logical-OR EA word into word register 
Logical-OR immediate byte into AL 
Logical-OR immediate word into AX 
Logical-OR immediate byte into EA byte 
Logical-OR immediate word into EA word 



FLAGS MODIFIED 

Overflow =0, sign, zero, parity, carry =0 

FLAGS UNDEFINED 

Auxiliary carry 

OPERATION 

This instruction computes the inclusive OR of 
the two operands. Each bit of the result is 
if both corresponding bits of the operands are 
0; each bit is 1 otherwise. The result is placed 
in the first operand. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 



REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 



0FFFFH. 
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OUT — Output to Port 



Opcode 

E6 db 
E7 db 
EE 
EF 



Instruction 

OUT cfo.AL 
OUT cto.AX 
OUT DX.AL 
OUT DX.AX 



Clocks 

3 
3 
3 
3 



Description 

Output byte AL to immediate port number db 
Output word AX to immediate port number db 
Output byte AL to port number DX 
Output word AX to port number DX 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

OUT transfers a data byte or data word from 
the register (AL or AX) given as the second 
operand to the output port numbered by the 
first operand. You can output to any port 
from 0-65535 by placing the port number in 



the DX register then using an OUT instruc- 
tion with DX as the first operand. If the 
instruction contains an 8-bit port ID, that 
value is zero-extended to 16 bits. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is bigger 
(has less privilege) than IOPL, which is the 
privilege level found in the flags register. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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OUTS/OUTSB/OUTSW— Output String to Port 



Opcode 

6E 
6F 
6E 
6F 



Instruction 

OUTS DX.eb 
OUTS DX.ew 
OUTSB 
OUTSW 



Clocks 

5 
5 
5 
5 



Description 

Output byte [SI] to port number DX 
Output word [SI] to port number DX 
Output byte DS:[SI] to port number DX 
Output word DS:[SI] to port number DX 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 



OPERATION 

OUTS transfers data from the memory byte 
or word at SI to the output port numbered by 
the DX register. 

OUTS does not allow the specification of the 
port number as an immediate value. The port 
must be addressed through the DX register. 

After the transfer is made, SI is automati- 
cally advanced. If the direction flag is (CLD 
was executed), SI increments; if the direction 
flag is 1 (STD was executed), SI decrements. 



SI increments or decrements by 1 if a byte 
was moved; by 2 if a word was moved. 

OUTS can be preceded by the REP prefix for 
block output of CX bytes or words. Refer to 
the REP instruction for details of this 
operation. 

NOTE 

Not all output devices can handle the rate 
at which this instruction transfers data. 

PROTECTED MDOE EXCEPTIONS 
#GP(0) if CPL > IOPL. #GP(0) for an 
illegal memory operand effective address in 
the CS, DS, or ES segments; #SS(0) for an 
illegal address in the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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POP — Pop a Word from the Stack 



Opcode 

1F 

07 

17 

8F /0 

58+ rw 


Instruction 

POP DS 
POP ES 
POP SS 
POP mw 
POP rw 


Clocks 

5,pm=20 

5,pm=20 

5,pm=20 

5 

5 


Description 

Pop top of stack into DS 

Pop top of stack into ES 

Pop top of stack into SS 

Pop top of stack into memory word 

Pop top of stack into word register 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 
OPERATION 

The word on the top of the iAPX 286 stack, 
addressed by SS:SP, replaces the previous 
contents of the memory, register, or segment 
register operand. The stack pointer SP is 
incremented by 2 to point to the new top of 
stack. 

If the destination operand is another segment 
register (DS, ES, or SS), the value popped 
must be a selector. In protected mode, loading 
the selector initiates automatic loading of the 
descriptor information associated with that 
selector into the hidden part of the segment 



register; loading also initiates validation of 
both the selector and the descriptor 
information. 

A null value (0000-0003) may be loaded into 
the DS or ES register without causing a 
protection exception. Attempts to reference 
memory using a segment register with a null 
value will cause #GP(0) exception. No 
memory reference will occur. The saved value 
of the segment register will be null. 

A POP SS instruction will inhibit all inter- 
rupts until after the execution of the next 
instruction. 

Following is a listing of the protected-mode 
checks and actions taken in the loading of a 
segment register: 
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If SS is loaded: 

If selector is null then #GP(0) 

Selector index must be within its descriptor table limits else #GP (selector) 

Selector's RPL must equal CPL else #GP (selector) 

AR byte must indicate a writable data segment else #GP (selector) 

DPL in the AR byte must equal CPL else #GP (selector) 

Segment must be marked PRESENT else #SS (selector) 

Load SS register with selector 

Load SS cache with descriptor 

If ES or DS is loaded with non-null selector: 

AR byte must indicate data or readable code segment else #GP (selector) 

If data or non-conforming code, then both the RPL and the 

CPL must be less than or equal to DPL in AR byte else #GP (selector) 

Segment must be marked PRESENT else #NP (selector) 

Load segment register with selector 

Load segment register cache with descriptor 
If ES or DS is loaded with a null selector: 

Load segment register with selector 

Clear valid bit in cache 

PROTECTED mode EXCEPTIONS #GP(0) if the destination is in a non-writable 

If a segment register is being loaded, #GP, segment. #GP(0) for an illegal memory 

#SS, and #NP, as described in the listing operand effective address in the CS, DS, or 

above. ES segments; #SS(0) for an illegal address in 

the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Otherwise, #SS(0) if the current top of stack Interrupt 13 for a word operand at offset 

is not within the stack segment. OFFFFH. 
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POPA — Pop All General Registers 



Opcode 

61 



Instruction 
POPA 



Clocks 
19 



Description 

Pop DI.SI.BP.SP.BX.DX.CX.AX 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

POPA pops the eight general registers given 
in the description above, except that the SP 
value is discarded instead of loaded into SP. 
POPA reverses a previous PUSHA, restoring 



the general registers to their values before 
PUSHA was executed. The first register 
popped is DI. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if the starting or ending stack address 
is not within the stack segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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POPF — Pop from Stack into the Flags Register 



Opcode 
9D 



Instruction 
POPF 



Clocks 

5 



Description 

Pop top of stack into flags register 



FLAGS MODIFIED 

Entire flags register is popped from stack 

FLAGS UNDEFINED 

None 

OPERATION 

The top of the iAPX 286 stack, pointed to by 
SS:SP, is copied into the iAPX 286 flags 
register. The stack pointer SP is incremented 
by 2 to point to the new top of stack. The 
flags, from the top bit (bit 15) to the bottom 
(bit 0), are as follows: undefined, nested task, 
I/O privilege level (2 bits), overflow, direc- 
tion, interrupts enabled, trap, sign, zero, 
undefined, auxiliary carry, undefined, parity, 
undefined, and carry. 



The I/O privilege level will be altered only 
when executing at privilege level 0. The inter- 
rupt enable flag will be altered only when 
executing at a level at least as privileged as 
the I/O privilege level. (Real Address mode 
is equivalent to privilege level 0.) If you 
execute a POPF instruction with insufficient 
privilege, there will be no exception; the 
privileged bits will not change. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if the top of stack is not within the 
stack segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at OFFFFH. 
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PUSH — Push a Word onto the Stack 



Opcode 


Instruction 


Clocks 


Description 


06 


PUSH ES 


3 


Push ES 


0E 


PUSH CS 


3 


PushCS 


16 


PUSH SS 


3 


Push SS 


1E 


PUSH DS 


3 


Push DS 


50+ rw 


PUSH rw 


3 


Push word register 


FF /6 


PUSH mw 


5 


Push memory word 


68 dw 


PUSH dw 


3 


Push immediate word 


6A db 


PUSH db 


3 


Push immediate sign-extended byte 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The stack pointer SP is decremented by 2, and 
the operand is placed on the new top of stack, 
which is pointed to by SS:SP. 

The iAPX 286 PUSH SP instruction pushes 
the value of SP as it existed before the 
instruction. This differs from the iAPX 86, 



which pushes the new (decremented by 2) 
value. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if the new value of SP is outside the 
stack segment limit. 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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PUSHA — Push All General Registers 



Opcode 
60 



Instruction 
PUSHA 



Clocks 
17 



Description 

Push AX.CX.DX.BX.original SP.BP.SI.DI 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

PUSHA saves the registers noted above on the 
iAPX 286 stack. The stack pointer SP is 
decremented by 16 to hold the 8 word values. 
Since the registers are pushed onto the stack 



in the order in which they were given, they 
will appear in the 16 new stack bytes in the 
reverse order. The last register pushed is DI. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if the starting or ending address is 
outside the stack segment limit. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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PUSHF — Push Flags Register onto the Stack 



Opcode 
9C 



Instruction 

PUSHF 



Clocks 
3 



Description 

Push flags register 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The stack pointer SP is decremented by 2, and 
the iAPX 286 flags register is copied to the 
new top of stack, which is pointed to by 
SS:SP. The flags, from the top bit (15) to the 
bottom bit (0), are as follows: undefined, 



nested task, I/O privilege level (2 bits), 
overflow, direction, interrupts enabled, trap, 
sign, zero, undefined, auxiliary carry, 
undefined, parity, undefined, and carry. 

PROTECTED MODE EXCEPTIONS 

#SS(0) if the new value of SP is outside the 
stack segment limit. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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RCL/RCR/ROL/ROR— Rotate Instructions 



Opcode 




Instruction 


Clocks-N' 


Description 


DO 


/2 




RCL ebA 


2,mem=7 


Rotate 9-bits (CF, EA byte) left once 


D2 


/2 




RCL eb,CL 


5,mem=8 


Rotate 9-bits (CF, EA byte) left CL times 


CO 


/2 


db 


RCL eb.db 


5,mem=8 


Rotate 9-bits (CF, EA byte) left db times 


D1 


/2 




RCL ew,1 


2,mem=7 


Rotate 17-bits (CF, EA word) left once 


D3 


/2 




RCL ew.CL 


5,mem=8 


Rotate 17-bits (CF, EA word) left CL times 


C1 


/2 


db 


RCL ew.db 


5,mem=8 


Rotate 17-bits (CF, EA word) left db times 


DO 


/3 




RCR eb,1 


2,mem=7 


Rotate 9-bits (CF, EA byte) right once 


D2 


/3 




RCR efc.CL 


5,mem=8 


Rotate 9-bits (CF, EA byte) right CL times 


CO 


/3 


db 


RCR eb.db 


5,mem=8 


Rotate 9-bits (CF, EA byte) right db times 


D1 


/3 




RCR ew,1 


2,mem=7 


Rotate 17-bits (CF, EA word) right once 


D3 


/3 




RCR ew,CL 


5,mem=8 


Rotate 17-bits (CF, EA word) right CL times 


C1 


/3 


db 


RCR eiv.cto 


5,mem=8 


Rotate 1 7-bits (CF, EA word) right db times 


DO 


/o 




ROL e&,1 


2,mem=7 


Rotate 8-bit EA byte left once 


D2 


/o 




ROL eb.CL 


5,mem=8 


Rotate 8-bit EA byte left CL times 


CO 


/o 


db 


ROL eb.cto 


5,mem=8 


Rotate 8-bit EA byte left db times 


D1 


/o 




ROL ew,1 


2,mem=7 


Rotate 1 6-bit EA word left once 


D3 


/o 




ROL eiv.CL 


5,mem=8 


Rotate 16-bit EA word left CL times 


C1 


/o 


db 


ROL ew,cto 


5,mem=8 


Rotate 1 6-bit EA word left db times 


DO 


/1 




ROR eb,1 


2,mem=7 


Rotate 8-bit EA byte right once 


D2 


/1 




ROR eb.CL 


5,mem=8 


Rotate 8-bit EA byte right CL times 


CO 


/1 


db 


ROR eb.db 


5,mem=8 


Rotate 8-bit EA byte right db times 


D1 


/1 




ROR eiv,1 


2,mem=7 


Rotate 16-bit EA word right once 


D3 


/1 




ROR ew.CL 


5,mem=8 


Rotate 16-bit EA word right CL times 


C1 


/1 


db 


ROR ew.db 


5,mem=8 


Rotate 16-bit EA word right db times 



* Add 1 clock to the times shown for each rotate made 
FLAGS MODIFIED 

Overflow (only for single rotates), carry 

FLAGS UNDEFINED 

Overflow for multi-bit rotates 

OPERATION 

Each rotate instruction shifts the bits of the 
register or memory operand given. The left 
rotate instructions shift all of the bits upward, 
except for the top bit, which comes back 
around to the bottom. The right rotate 
instructions do the reverse: the bits shift 
downward, with the bottom bit coming around 
to the top. 

For the RCL and RCR instructions, the carry 
flag is part of the rotated quantity. RCL shifts 
the carry flag into the bottom bit and shifts 
the top bit into the carry flag; RCR shifts the 



carry flag into the top bit and shifts the 
bottom bit into the carry flag. For the ROL 
and ROR instructions, the original value of 
the carry flag is not a part of the result; 
nonetheless, the carry flag receives a copy of 
the bit that was shifted from one end to the 
other. 

The rotate is repeated the number of times 
indicated by the second operand, which is 
either an immediate number or the contents 
of the CL register. The iAPX 286 does not 
allow rotation counts greater than 31. If a 
rotation count greater than 31 is attempted, 
only the bottom five bits of the rotation are 
used. The iAPX 86 does not mask rotate 
counts. 

The overflow flag is set only for the single- 
rotate (second operand = 1) forms of the 
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instructions. For RCR, the test for overflow 
is made before the rotation; for RCL, ROL, 
and ROR, it is made after the rotation. The 
test is as follows: if the carry flag equals the 
high bit of the operand, set the overflow flag 
to 0; if the carry flag does not equal the high 
bit of the operand, set the overflow flag to 1. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 



segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 



REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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REP/REPE/REPNE — Repeat Following String Operation 



C 



Opcode 


Instruction 


Clocks* 


Description 


F3 


6C 


REP INS eb.DX 


5+4*CX 


Input CX bytes from port DX into ES:[DI] 


F3 


6D 


REP INS ew,DX 


5+4*CX 


Input CX words from port DX into ES:[DI] 


F3 


6C 


REP INSB 


5+4*CX 


Input CX bytes from port DX into ES:[DI] 


F3 


6D 


REP INSW 


5+4*CX 


Input CX words from port DX into ES:[DI] 


F3 


A4 


REP MOVS mb.mb 


5+4*CX 


Move CX bytes from [SI] to ES:[DI] 


F3 


A5 


REP MOVS mw,mw 


5+4*CX 


Move CX words from [SI] to ES:[DI] 


F3 


A4 


REP MOVSB 


5+4*CX 


Move CX bytes from DS:[SI] to ES:[DI] 


F3 


A5 


REP MOVSW 


5+4*CX 


Move CX words from DS:[SI] to ES:[DI] 


F3 


6E 


REP OUTS DX,eb 


5+4*CX 


Output CX bytes from [SI] to port DX 


F3 


6F 


REP OUTS DX,ew 


5+4*CX 


Output CX words from [SI] to port DX 


F3 


6E 


REP OUTSB 


5+4*CX 


Output CX bytes from DS:[SI] to port DX 


F3 


6F 


REP OUTSW 


5+4*CX 


Output CX words from DS:[SI] to port DX 


F3 


AA 


REP STOS mb 


4+3*CX 


Fill CX bytes at ES:[DI] with AL 


F3 


AB 


REP STOS mw 


4+3*CX 


Fill CX words at ES:[DI] with AX r - 
Fill CX bytes at ES:[DI] with AL fh^ 


F3 


AA 


REP STOSB 


4+3*CX 


F3 


AB 


REP STOSW 


4+3*CX 


Fill CX words at ES:[DI] with AX <£r^ ,J }() 


F3 


A6 


REPE CMPS mb.mb 


5+9*N 


Find nonmatching bytes in ES:[DI] and [SI] ^ 


F3 


A7 


REPE CMPS mw.mw 


5+9*N 


Find nonmatching words in ES:[DI] and [SI] l ~ ! 


F3 


A6 


REPE CMPSB 


5+9*N 


Find nonmatching bytes in ES:[DI] and DS:[SI] 


F3 


A7 


REPE CMPSW 


5+9*N 


Find nonmatching words in ES:[DI] and DS:[SI] 


F3 


AE 


REPE SCAS mb 


5+8*N 


Find non-AL byte starting at ES:[DI] 


F3 


AF 


REPE SCAS mw 


5+8*N 


Find non-AX word starting at ES:[DI] 


F3 


AE 


REPE SCASB 


5+8*N 


Find non-AL byte starting at ES:[DI] 


F3 


AF 


REPE SCASW 


5+8*N 


Find non-AX word starting at ES:[DI] 


Hfe 


A6 


REPNE CMPS mb.mb 


5+9*N 


Find matching bytes in ES:[DI] and [SI] 


£ 


A7 


REPNE CMPS mw,mw 


5+9*N 


Find matching words in ES:[DI] and [SI] 


A6 


REPNE CMPSB 


5+9*N 


Find matching bytes in ES:[DI] and DS:[SI] 


F2 


A7 


REPNE CMPSW 


5+9*N 


Find matching words in ES:[DI] and DS:[SI] 


/F2 


AE 


REPNE SCAS mb 


5+8*N 


Find AL, starting at ES:[DI] 


IF2 


AF 


REPNE SCAS mw 


5+8*N 


Find AX, starting at ES:[DI] 


F2 


AE 


REPNE SCASB 


5+8*N 


Find AL, starting at ES:[DI] 


F2 


AF 


REPNE SCASW 


5+8*N 


Find AX, starting at ES:[DI] 






/^^-.r 



* N denotes the number of iterations actually executed. 

FLAGS MODIFIED 

By CMPS and SCAS, none by REP 



Thus, REPE stands for "Repeat while equal," 
REPNE for "Repeat while not equal." 



FLAGS UNDEFINED 

None 



The REP prefixes make sense only in the 
contexts listed above. They cannot be applied 
to anything other than string operations. 



OPERATION 

REP, REPE, and REPNE are prefix opera- 
tions. These prefixes cause the string instruc- 
tion that follows to be repeated CX times or 
(for REPE and REPNE) until the indicated 
condition in the zero flag is no longer met. 



Synonymous forms of REPE and REPNE are 
REPZ and REPNZ, respectively. 

The REP prefixes apply only to one string 
instruction at a time. To repeat a block of 
instructions, use a LOOP construct. 
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The precise action for each iteration is as 
follows: 

1 . Check the CX register. If it is zero, exit 
the iteration and move to the next 
instruction. 

2. Acknowledge any pending interrupts. 

3. Perform the string operation once. 

4. Decrement CX by 1; no flags are 
modified. 

5. If the string operation is SCAS or CMPS, 
check the zero flag. If the repeat condi- 
tion does not hold, then exit the iteration 
and move to the next instruction. Exit if 
the prefix is REPE and ZF=0 (the last 
comparison was not equal), or if the 
prefix is REPNE and ZF=1 (the last 
comparison was equal). 

6. Go to step 1 for the next iteration. 

As defined by the individual string-ops, the 
direction of movement through the block is 
determined by the direction flag. If the direc- 
tion flag is 1 (STD was executed), SI and/or 
DI start at the end of the block and move 



backward; if the direction flag is (CLD was 
executed), SI and/or DI start at the begin- 
ning of the block and move forward. 

For repeated SCAS and CMPS operations the 
repeat can be exited for one of two different 
reasons: the CX count can be exhausted or 
the zero flag can fail the repeat condition. 
Your code will probably want to distinguish 
between the two cases. It can do so via either 
the JCXZ instruction or the conditional jumps 
that test the zero flag (JZ, JNZ, JE, and 
JNE). 

NOTE 

Not all input/output ports can handle the 
rate at which the repeated I/O instruc- 
tions execute. 

PROTECTED MODE EXCEPTIONS 

None by REP; exceptions can be generated 
when the string-op is executed. 

REAL ADDRESS MODE EXCEPTIONS 

None by REP; exceptions can be generated 
when the string-op is executed. 
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RET — Return from Procedure 



Opcode 


Instruction 


Clocks' 




Description 




CB 




RET 




15,pm= 


=25 


Return to far caller, same 


privilege 


CB 




RET 




55 




Return, lesser privilege, switch stacks 


C3 




RET 




11 




Return to near caller 




CA 


dw 


RET 


dw 


15,pm= 


=25 


RET (far), same privilege, 


pop dw bytes 


CA 


dw 


RET 


dw 


55 




RET (far), lesser privilege 


pop dw bytes 


C2 


dw 


RET 


dw 


11 




RET (near), pop dw bytes pushed before Call 



"Add 1 clock for each byte in the next instruction executed. 
FLAGS MODIFIED 

None 



FLAGS UNDEFINED 

None 

OPERATION 

RET transfers control to a return address 
located on the stack. The address is usually 
placed on the stack by a CALL instruction; 
in that case, the return is made to the instruc- 
tion that follows the CALL. 



There is an optional numeric parameter to 
RET. It gives the number of stack bytes to be 
released after the return address is popped. 
These bytes are typically used as input 
parameters to the procedure called. 



For the intra-segment return, the address on 
the stack is a 2-byte quantity popped into IP. 
The CS register is unchanged. 



For the inter-segment return, the address on 
the stack is a 4-byte-long pointer. The offset 
is popped first, followed by the selector. In 
real address mode, CS and IP are directly 
loaded. 

In protected mode, an inter-segment return 
causes the processor to consult the descriptor 
addressed by the return selector. The AR byte 
of the descriptor must indicate a code segment 
of equal or less privilege (of greater or equal 
numeric value) than the current privilege 
level. Returns to a lesser, privilege level cause 
the stack to be reloaded from the value saved 
beyond the parameter block. 

The DS and ES segment registers may be set 
to zero by the inter-segment RET instruction. 
If these registers refer to segments which 
cannot be used by the new privilege level, they 
are set to zero to prevent unauthorized access. 

The following list of checks and actions 
describes the protected-mode inter-segment 
return in detail. 
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Inter-segment RET: 

Second word on stack must be within stack limits else #SS(0) 
Return selector RPL must be > CPL else #GP (return selector) 
If return selector RPL = CPL then 
RETURN TO SAME LEVEL: 
Return selector must be non-null else #GP(0) 

Selector index must be within its descriptor table limits else #GP (selector) 
Descriptor AR byte must indicate code segment else #GP (selector) 
If non-conforming then code segment DPL must equal CPL else #GP (selector) 
If conforming then code segment DPL must be < CPL else #GP (selector) 
Code segment must be PRESENT else #NP (selector) 
Top word on stack must be within stack limits else #SS(0) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from stack 
Load CS-cache with descriptor 
Increment SP by 4 plus the immediate offset if it exists 
Else 

RETURN TO OUTER PRIVILEGE LEVEL: 

Top (8+immediate) bytes on stack must be within stack limits else #SS(0) 
Examine return CS selector (at SP+2) and associated descriptor: 
Selector must be non-null else #GP(0) 

Selector index must be within its descriptor table limits else #GP (selector) 
Descriptor AR byte must indicate code segment else #GP (selector) 

If non-conforming then code segment DPL must equal return selector RPL else #GP (selector) 
If conforming then code segment DPL must be < return selector RPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
Examine return SS selector (at SP+6+imm) and associated descriptor: 
Selector must be non-null else #GP(0) 
. Selector index must be within its descriptor table limits else #GP (selector) 
Selector RPL must equal the RPL of the return CS selector else #GP (selector) 
Descriptor AR byte must indicate a writable data segment else #GP (selector) 
Descriptor DPL must equal the RPL of the return CS selector else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
IP must be in code segment limit else # GP(0) 
Set CPL to the RPL of the return CS selector 
Load CS.-IP from stack 
Set CS RPL to CPL 

Increment SP by 4 plus the immediate offset if it exists 
Load SS:SP from stack 

Load the CS-cache with the return CS descriptor 
Load the SS-cache with the return SS descriptor 
For each of ES and DS: 

If the current register setting is not valid for the outer level, set the 

register to null (selector = AR = 0) 
To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits 
Descriptor AR byte must indicate data or readable code segment 
If segment is data or non-conforming code, then: 
DPL must be > CPL, or 
DPL must be > RPL 

PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS 

#GP, #NP, or #SS, as described in the above Interrupt 1 3 if the stack pop wraps around 

listing. from OFFFFH to 0. 
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SAHF — Store AH into Flags 



Opcode 

9E 



Instruction 

SAHF 



Clocks 
2 



Description 

Store AH into flags SF 2F xx AF xx PF xx CF 



FLAGS MODIFIED 

Sign, zero, auxiliary carry, parity, carry 

FLAGS UNDEFINED 

None 

OPERATION 

The flags listed above are loaded with values 



from the AH register, from bits 7, 6, 4, 2, and 
0, respectively. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 
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SAL/SAR/SHL/SHR— Shift Instructions 



Opcode 




Instruction 


Clocks-N* 


Description 


DO 


/4 




SAL 


eb,1 


2,mem=7 


Multiply EA byte by 2, once 


D2 


/4 




SAL 


eb.CL 


5,mem=8 


Multiply EA byte by 2, CL times 


CO 


/4 


db 


SAL 


eb.db 


5,mem=8 


Multiply EA byte by 2, db times 


D1 


1* 




SAL 


ew,1 


2,mem=7 


Multiply EA word by 2, once 


D3 


/4 




SAL 


ew.CL 


5,mem=8 


Multiply EA word by 2, CL times 


C1 


/4 


db 


SAL 


ew.db 


5,mem=8 


Multiply EA word by 2, db times 


DO 


/7 




SAR 


eb,1 


2,mem=7 


Signed divide EA byte by 2, once 


D2 


/7 




SAR 


eb.CL 


5,mem=8 


Signed divide EA byte by 2, CL times 


CO 


/7 


db 


SAR 


eb,db 


5,mem=8 


Signed divide EA byte by 2, db times 


D1 


^7 




SAR 


ew,1 


2,mem=7 


Signed divide EA word by 2, once 


D3 


\1 




SAR 


ew.CL 


5,mem=8 


Signed divide EA word by 2, CL times 


C1 


17 


db 


SAR 


ew,db 


5,mem=8 


Signed divide EA word by 2, db times 


DO 


/5 




SHR 


eb,1 


2,mem=7 


Unsigned divide EA byte by 2, once 


D2 


/5 




SHR 


eb.CL 


5,mem=8 


Unsigned divide EA byte by 2, CL times 


CO 


/5 


db 


SHR 


eb,db 


5,mem=8 


Unsigned divide EA byte by 2, db times 


D1 


/5 




SHR 


ew,1 


2,mem=7 


Unsigned divide EA word by 2, once 


D3 


/5 




SHR 


ew.CL 


5,mem=8 


Unsigned divide EA word by 2, CL times 


C1 


/5 


db 


SHR 


ew,db 


5,mem=8 


Unsigned divide EA word by 2, db times 



* Add 1 clock to the times shown for each shift performed 

FLAGS MODIFIED 

Overflow (only for single-shift form), carry, 
zero, overflow, parity, sign 

FLAGS UNDEFINED 

Auxiliary carry 

OPERATION 

SAL (or its synonym SHL) shifts the bits of 
the operand upward. The high-order bit is 
shifted into the carry flag, and the low-order 
bit is set to 0. 

SAR and SHR shift the bits of the operand 
downward. The low-order bit is shifted into 
the carry flag. The effect is to divide the 
operand by 2. SAR performs a signed divide: 
the high-order bit remains the same. SHR 
performs an unsigned divide: the high-order 
bit is set to 0. 

The shift is repeated the number of times 
indicated by the second operand, which is 
either an immediate number or the contents 
of the CL register. The iAPX 286 does not 



allow shift counts greater than 31. If a shift 
count greater than 31 is attempted, only the 
bottom five bits of the shift count are used. 
The iAPX 86 uses all 8 bits of the shift count. 

The overflow flag is set only if the single-shift 
forms of the instructions are used. For left 
shifts, it is set to if the high bit of the answer 
is the same as the result carry flag (i.e., the 
top two bits of the original operand were the 
same); it is set to 1 if they are different. For 
SAR it is set to for all single shifts. For 
SHR, it is set to the high-order bit of the 
original operand. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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SBB — Integer Subtraction With Borrow 



Opcode 




Instruction 


Clocks 




Description 


18 


lr 




SBB eb.rb 


2,mem = 


=7 


Subtract with borrow byte register from EA 
byte 


19 


lr 




SBB ew.rw 


2,mem = 


=7 


Subtract with borrow word register from EA 
word 


1A 


lr 




SBB rb,eb 


2,mem= 


=7 


Subtract with borrow EA byte from byte 
register 


1B 


lr 




SBB rw,ew 


2,mem= 


=7 


Subtract with borrow EA word from word 
register 


1C 


db 




SBB kL,db 


3 




Subtract with borrow imm. byte from AL 


1D 


dw 




SBB AX,dw 


3 




Subtract with borrow imm. word from AX 


80 


/3 


db 


SBB eb,db 


3,mem= 


=7 


Subtract with borrow imm. byte from EA byte 


81 


/3 


dw 


SBB ew,dw 


3,mem = 


=7 


Subtract with borrow imm. word from EA word 


83 


/3 


db 


SBB ew,db 


3,mem= 


=7 


Subtract with borrow imm. byte from EA word 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

FLAGS UNDEFINED 

None 

OPERATION 

The second operand is added to the carry flag 
and the result is subtracted from the first 
operand. The first operand is replaced with 
the result of the subtraction, and the flags are 
set accordingly. 



When a byte-immediate value is subtracted 
from a word operand, the immediate value is 
first sign-extended. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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SCAS/SCASB/SCASW— Compare String Data 



Opcode 

AE 
AF 
AE 
AF 



Instruction 

SCAS mb 
SCAS mw 
SCASB 
SCASW 



Clocks 

7 
7 
7 
7 



Description 

Compare bytes AL - ES:[DI], advance Dl 
Compare words AX - ES:[DI], advance Dl 
Compare bytes AL - ES:[DI], advance Dl 
Compare words AX - ES:[DI], advance Dl 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

FLAGS UNDEFINED 

None 

OPERATION 

SCAS subtracts the memory byte or word at 
ES:DI from the AL or AX register. The result 
is discarded; only the flags are set. The 
operand must be addressable from the ES 
register; no segment override is possible. 

After the comparison is made, Dl is automat- 
ically advanced. If the direction flag is 
(CLD was executed), Dl increments; if the 
direction flag is 1 (STD was executed), Dl 



decrements. Dl increments or decrements by 
1 if bytes were compared; by 2 if words were 
compared. 

SCAS can be preceded by the REPE or 
REPNE prefix for a block search of CX bytes 
or words. Refer to the REP instruction for 
details of this operation. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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SGDT/SIDT — Store Global/Interrupt Descriptor Table 

Register 



Opcode 

OF 01 /0 
OF 01 /1 



Instruction 

SGDT m 
SIDT m 



Clocks 

11 
12 



Description 

Store Global Descriptor Table register to m 
Store Interrupt Descriptor Table register to m 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The contents of the descriptor table register 
are copied to six bytes of memory indicated 
by the operand. The LIMIT field of the 
register goes to the first word at the effective 
address; the next three bytes get the BASE 
field of the register; and the last byte is 
undefined. 



PROTECTED MODE EXCEPTIONS 

#UD if the destination operand is a register. 
#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

These instructions are valid in Real Address 
mode to facilitate power-up or to reset initial- 
ization prior to entering Protected mode. 



SGDT and SIDT appear only in operating 
systems software; they are not used in appli- 
cations programs. 



#UD if the destination operand is a register. 
Interrupt 13 for a word operand at offset 
OFFFFH. 
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SLDT— Store Local Descriptor Table Register 



Opcode 


Instruction 


Clocks 


Description 


OF 00 /0 


SLDT ew 


2,mem=3 


Store Local Descriptor Table register to EA 
word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 



OPERATION 

The Local Descriptor Table register is stored 
in the 2-byte register or memory location 
indicated by the effective address operand. 
This register is a selector that points into the 
Global Descriptor Table. 



SLDT appears only in operating systems 
software. It is not used in applications 
programs. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6; SLDT is not recognized in Real 
Address mode. ; 
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SMSW — Store Machine Status Word 



Opcode Instruction Clocks Description 

OF 01 /4 SMSW ew 2,mem=3 Store Machine Status Word to EA word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The Machine Status Word is stored in the 
2-byte register or memory location indicated 
by the effective address operand. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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STC — Set Carry Flag 



Opcode Instruction 


Clocks 


Description 


F9 STC 


2 


Set carry flag 


FLAGS MODIFIED 




PROTECTED MODE EXCEPTIONS 


Carry =1 




None 


FLAGS UNDEFINED 




REAL ADDRESS MODE EXCEPTIONS 


None 




None 


OPERATION 






The carry flag is set to 1 . 
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STD — Set Direction Flag 



Opcode 
FD 



Instruction 
STD 



Clocks 
2 



Description 

Set direction flag so SI and Dl will decrement 



FLAGS MODIFIED 

Direction =1 

FLAGS UNDEFINED 

None 

OPERATION 

The direction flag is set to 1. This causes all 
subsequent string operations to decrement the 



index registers (SI and/or DI) on which they 
operate. 

PROTECTED MODE EXCEPTIONS 

None 

REAL ADDRESS MODE EXCEPTIONS 

None 



B-101 



THE iAPX 286 INSTRUCITON SET 



STI — Set Interrupt Enable Flag 



Opcode 

FB 



Instruction 
STI 



Clocks 
2 



Description 

Set interrupt enable flag, interrupts enabled 



FLAGS MODIFIED 

Interrupt =1 

FLAGS UNDEFINED 

None 

OPERATION 

The interrupts-enabled flag is set to 1. The 



iAPX 286 will now respond to external inter- 
rupts after executing the next instruction. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level is bigger 
(has less privilege) than the I/O privilege 
level. 

REAL ADDRESS MODE EXCEPTIONS 

None 
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STOS/STOSB/STOSW— Store String Data 



Opcode 

AA 
AB 
AA 
AB 



Instruction 

STOS mb 
STOS mw 
STOSB 
STOSW 



Clocks 

3 
3 
3 
3 



Description 

Store AL to byte ES:[DI], advance Dl 
Store AX to word ES:[DI], advance Dl 
Store AL to byte ES:[DI], advance Dl 
Store AX to word ES:[DI], advance Dl 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

STOS transfers the contents the AL or AX 
register to the memory byte or word at ES:DI. 
The operand must be addressable from the ES 
register; no segment override is possible. 

After the transfer is made, Dl is automati- 
cally advanced. If the direction flag is (CLD 
was executed), Dl increments; if the direction 
flag is 1 (STD was executed), Dl decrements. 



Dl increments or decrements by 1 if a byte 
was moved; by 2 if a word was moved. 

STOS can be preceded by the REP prefix for 
a block fill of CX bytes or words. Refer to the 
REP instruction for details of this operation. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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STR — Store Task Register 



Opcode Instruction Clocks Description 

OF 00 /1 STR ew 2,mem=3 Store Task Register to EA word 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The contents of the Task Register are copied 
to the 2-byte register or memory location 
indicated by the effective address operand. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6; STR is not recognized in Real 
Address mode. 
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SUB — Integer Subtraction 



Opcode 




Instruction 


Clocks 


28 


/r 




SUB eb.rb 


2,mem=7 


29 


fr 




SUB ew.rw 


2,mem=7 


2A 


/r 




SUB rf?,e& 


2,mem=7 


2B 


lr 




SUB nv.ew 


2,mem=7 


2C 


db 




SUB AL,db 


3 


2D 


dw 




SUB AX.cfiv 


3 


80 


/5 


d/J 


SUB eb.db 


3,mem=7 


81 


/5 


dw 


SUB ew.dw 


3,mem=7 


83 


/5 


db 


SUB ew.cto 


3,mem=7 



Description 

Subtract byte register from EA byte 
Subtract word register from EA word 
Subtract EA byte from byte register 
Subtract EA word from word register 
Subtract immediate byte from AL 
Subtract immediate word from AX 
Subtract immediate byte from EA byte 
Subtract immediate word from EA word 
Subtract immediate byte from EA word 



FLAGS MODIFIED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 



FLAGS UNDEFINED 

None 



OPERATION 

The second operand is subtracted from the 
first operand, and the first operand is replaced 
with the result. 



When a byte-immediate value is subtracted 
from a word operand, the immediate value is 
first sign-extended. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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TEST — Logical Compare 



Opcode 




Instruction 


Clocks 


84 


fr 




TEST eb.rb 


2,mem=6 


84 


/r 




TEST rb.eb 


2,mem=6 


85 


lr 




TEST ew.rw 


2,mem=6 


85 


lr 




TEST rw.ew 


2,mem=6 


A8 


db 




TEST AL, db 


3 


A9 


dw 




TEST AX.dtv 


3 


F6 


/o 


db 


TEST eb.db 


3,mem=6 


F7 


/o 


dw 


TEST ew.dw 


3,mem=6 



Description 

AND byte register into EA byte for flags only 
AND EA byte into byte register for flags only 
AND word register into EA word for flags only 
AND EA word into word register for flags only 
AND immediate byte into AL for flags only 
AND immediate word into AX for flags only 
AND immediate byte into EA byte for flags only 
AND immediate word into EA word for flags 
only 



FLAGS MODIFIED 

Overflow =0, sign, zero, parity, carry =0 

FLAGS UNDEFINED 

Auxiliary carry 

OPERATION 

TEST computes the bit-wise logical AND of 
the two operands given. Each bit of the result 
is 1 if both of the corresponding bits of the 
operands are 1; each bit is otherwise. The 



result of the operation is discarded; only the 
flags are modified. 

PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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VERR,VERW — Verify a Segment for Reading or Writing 



Opcode Instruction Clocks Description 

OF 00 /4 VERR ew 14,mem = 16 Set ZF=1 if seg. can be read, selector ew 

OF 00 /5 VERW ew 14,mem=16 Set ZF=1 if seg. can be written, selector ew 



FLAGS MODIFIED 

Zero 



FLAGS UNDEFINED 

None 



If the code segment is readable and 
conforming, the descriptor privilege level 
(DPL) can be any value for VERR. 
Otherwise, the DPL must be greater than 
or equal to (have less or the same privi- 
lege as) both the current privilege level 
and the selector's RPL. 



OPERATION 

VERR and VERW expect the 2-byte register 
or memory operand to contain the value of a 
selector. The instructions determine whether 
the segment denoted by the selector is reach- 
able from the current privilege level; the 
instructions also determine whether it is 
readable or writable. If the segment is deter- 
mined to be accessible, the zero flag is set to 
1; if the segment is not accessible, it is set to 

0. To set ZF, the following conditions must 
be met: 

1. The selector must denote a descriptor 
within the bounds of the table (GDT or 
LDT); that is, the selector must be 
"defined." 

2. The selector must denote the descriptor 
of a code or data segment. 

3. If the instruction is VERR, the segment 
must be readable. If the instruction is 
VERW, the segment must be a writable 
data segment. 



The validation performed is the same as if the 
segment were loaded into DS or ES and the 
indicated access (read or write) were 
performed. The zero flag receives the result 
of the validation. The selector's value cannot 
result in a protection exception. This enables 
the software to anticipate possible segment 
access problems. 

PROTECTED MODE EXCEPTIONS 

The only faults that can occur are those 
generated by illegally addressing the memory 
operand which contains the selector. The 
selector is not loaded into any segment regis- 
ter, and no faults attributable to the selector 
operand are generated. 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 6; VERR and VERW are not 
recognized in Real Address Mode. 
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WAIT — Wait Until BUSY Pin Is Inactive (HIGH) 



Opcode 

9B 



Instruction 

WAIT 



Clocks 
3 



Description 

Wait until BUSY pin is inactive (HIGH) 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

WAIT suspends execution of 80286 instruc- 
tions until the BUSY pin is inactive (high). 
The BUSY pin is driven by the 80287 
numeric processor extension. WAIT is issued 



to ensure that the numeric instruction being 
executed is complete, and to check for a 
possible numeric fault (see below). 

PROTECTED MODE EXCEPTIONS 

#NM if task switch flag in MSW is set. #MF 
is 80287 has detected an unmasked numeric 
error. 

REAL ADDRESS MODE EXCEPTIONS 

Same as Protected mode. 
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XCHG — Exchange Memory/Register with Register 



Opcode 


Instruction 


Clocks 


Description 


86 Ir 

86 Ir 

87 Ir 
87 Ir 
90+ rw 
90+ rw 


XCHG eb,rb 
XCHG rb.eb 
XCHG ew.rw 
XCHG rw.ew 
XCHG AX.nv 
XCHG rw.AX 


3,mem=5 

3,mem=5 

3,mem=5 

3,mem=5 

3 

3 


Exchange byte register with EA byte 
Exchange EA byte with byte register 
Exchange word register with EA word 
Exchange EA word with word register 
Exchange word register with AX 
Exchange with word register 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

The two operands are exchanged. The order 
of the operands is immaterial. BUS LOCK is 
asserted for the duration of the exchange, 
regardless of the presence or absence of the 
LOCK prefix or IOPL. 



PROTECTED MODE EXCEPTIONS 

#GP(0) if either operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 



REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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XLAT — Table Look-up Translation 



Opcode 

D7 
D7 



Instruction 
XLAT mb 
XLATB 



Clocks 

5 
5 



Description 

Set AL to memory byte DS:[BX + unsigned 

AL] 

Set AL to memory byte DS:[BX + unsigned 

AL] 



FLAGS MODIFIED 

None 

FLAGS UNDEFINED 

None 

OPERATION 

When XLAT is executed, AL should be the 
unsigned index into a table addressed by 
DS:BX. XLAT changes the AL register from 
the table index into the table entry. BX is 
unchanged. 



PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 



REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 



OFFFFH. 
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XOR — Logical Exclusive OR 



Opcode 




Instruction 


Clocks 


30 


lr 




XOR eb.rb 


2,mem=7 


31 


lr 




XOR ew.rw 


2,mem=7 


32 


lr 




XOR rb.eb 


2,mem=7 


33 


lr 




XOR rw.ew 


2,mem=7 


34 


db 




XOR AL.cto 


3 


35 


dw 




XOR AX,dw 


3 


80 


/6 


db 


XOR eb.db 


3,mem=7 


81 


/6 


dw 


XOR ew,dw 


3,mem=7 



Description 

Exclusive-OR 
Exclusive-OR 
Exclusive-OR 
Exclusive-OR 
Exclusive-OR 
Exclusive-OR 
Exclusive-OR 
Exclusive-OR 



byte register into EA byte 
word register into EA word 
EA byte into byte register 
EA word into word register 
immediate byte into AL 
immediate word into AX 
immediate byte into EA byte 
immediate word into EA word 



FLAGS MODIFIED 

Overflow =0, sign, zero, parity, carry =0 

FLAGS UNDEFINED 

Auxiliary carry 

OPERATION 

XOR computes the exclusive OR of the two 
operands. Each bit of the result is 1 if the 
corresponding bits of the operands are differ- 
ent; each bit is if the corresponding bits are 



the same. The answer replaces the first 
operand. 

PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. 
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iAPX 286/10 

HIGH PERFORMANCE MICROPROCESSOR 

WITH MEMORY MANAGEMENT AND PROTECTION 



High Performance 8 and 10 MHz 
Processor (Up to six times iAPX 86) 
Large Address Space: 
—16 Megabytes Physical 
— 1 Gigabyte Virtual per Task 
Integrated Memory Management, Four- 
Level Memory Protection and Support 
for Virtual Memory and Operating 
Systems 

Two iAPX 86 Upward Compatible 
Operating Modes: 
—iAPX 86 Real Address Mode 
—Protected Virtual Address Mode 



Optional Processor Extension: 
—iAPX 286/20 High Performance 80-bit 

Numeric Data Processor 
Complete System Development 
Support: 
—Development Software: Assembler, 

PL/M, Pascal, FORTRAN, and System 

Utilities 
— In-Circuit-Emulator (ICE™ -286) 
High Bandwidth Bus Interface 
(8 or 10 Megabyte/Sec) 

Available in EXPRESS: 
—Standard Temperature Range 



The iAPX 286/10 (80286 part number) is an advanced, high-performance microprocessor with specially optimized 
capabilities for multiple user and multi-tasking systems. The 80286 has built-in memory protection that supports 
operating system and task isolation as well as program and data privacy within tasks. A 10 MHz iAPX 286/10 provides 
up to six times greater throughput than the standard 5 MHz iAPX 86/10. The 80286 includes memory management 
capabilities that map up to 2 30 bytes (one gigabyte) of virtual address space per task into 2 24 bytes (16 megabytes) of 
physical memory. 

The iAPX 286 is upward compatible with iAPX 86 and 88 software. Using iAPX 86 real address mode, the 80286 is 
object code compatible with existing iAPX 86, 88 software. In protected virtual address mode, the 80286 is source 
code compatible with iAPX 86, 88 software and may require upgrading to use virtual addresses supported by the 
80286's integrated memory management and protection mechanism. Both modes operate at full 80286 performance 
and execute a superset of the iAPX 86 and 88's instructions. 

The 80286 provides special operations to support the efficient implementation and execution of operating systems. 
For example, one instruction can end execution of one task, save its state, switch to a new task, load its state, and 
start execution of the new task. The 80286 also supports virtual memory systems by providing a segment-not-present 
exception and restartable instructions. 
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Figure 1. 80286 Internal Block Diagram 
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Component Pad View— As viewed from 
underside of component when mounted on 
the board. 



*o □' 

*. Z 
*» Zl 

CLK Zl 
Vcc Zl 

Z) 

z 

u 
zi 

Zl 
Z 

z 

z 
z 

Zl 

I] 

0] 



> Q O D 



S S 6 S a a a a 



O O O O Q 



^UUUUUUUUUUUUUUUI 



z 



innnnnnnnnnnnnnnra, 

1 5 3 s ISBia s si 



CAP 

erroA 
6057 



vss 

PEREO 

Vcc 
Ready 

HOLD 
HLDA 
COO/fNTA 
MIO 



[~. CTOk 
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Figure 2. 80286 Pin Configuration 



Table 1. Pin Description 

The following pin function descriptions are for the 80286 microprocessor: 



Symbol 


Type 


Name and Function 


CLK 


I 


System Clock provides the fundamental timing for iAPX 286 systems. It is divided by two inside 
the 80286 to generate the processor clock. The internal divide-by-two circuitry can 
be synchronized to an external clock generator by a LOW to HIGH transition on the RESET 
input. 


D15-D0 


I/O 


Data Bus inputs data during memory, I/O, and interrupt acknowledge read cycles; outputs data 
during memory and I/O write cycles. The data bus is active HIGH and floats to 3-state OFF during 
bus hold acknowledge. 


A23-A0 





Address Bus outputs physical memory and I/O port addresses. A0 is LOW when data is to be 
transferred on pins D7_n. A23-A16 are LOW during I/O transfers. The address bus is active HIGH 
and floats to 3-state OFF during bus hold acknowledge. 


BHE 





Bus High Enable indicates transfer of data on the upper byte of the data bus, D-is-a- Eight-bit 
oriented devices assigned to the upper byte of the data bus would normally use BHE to con- 
dition chip select functions. BHE is active LOW and floats to 3-state OFF during bus hold acknowledge. 




BHE and AO Encodings 




BHE Value 


AO Value 


Function 





1 
1 




1 



1 


Word transfer 

Byte transfer on upper half of data bus (Di 5_s) 

Byte transfer on lower half of data bus (D7_o) 

Reserved 
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Table 1 . Pin Description (Cont.) 



Symbol 



Type 



Name and Function 



S1.S0 



Bus Cycle Status indicates initiation of a bus cycle and, along with M/TO" and COD/INTA, defines 
the type of bus cycle. The bus is in a T s state whenever one or both are LOW. ST and 50 are 
active LOW and float to 3-state OFF during bus hold acknowledge. 



80286 Bus Cycle Status Definition 


COD/iNTA 


M/IO 


S1 


so 


Bus cycle initiated 


(LOW) 













Interrupt acknowledge 













1 


Reserved 










1 





Reserved 










1 


1 


None; not a status cycle 





1 










IF A1 = 1 then halt; else shutdown 





1 







1 


Memory data read 





1 




1 





Memory data write 





1 




1 


1 


None; not a status cycle 


1 (HIGH) 













Reserved 


1 










1 


I/O read 


1 







1 





I/O write 


1 







1 


1 


None; not a status cycle 


1 


1 










Reserved 


1 
1 
1 


1 
1 
1 






1 
1 


1 



1 


Memory instruction read 

Reserved 

None; not a status cycle 



M/IO 



Memory/IO Select distinguishes memory access from I/O access. If HIGH during T s , a memory 
cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt acknowledge cycle 
is in progress. M/IO floats to 3-state OFF during bus hold acknowledge. 



COD/INTA 



Code/Interrupt Acknowledge distinguishes instruction fetch cycles fro m mem ory data read cycles. 
Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/INTA floats to 3-state OFF 
during bus hold acknowledge. 



LOCK 



Bus Lock indicates that ot her sys tem bus masters are not to gain control of the system bus following 
the current bus cycle. The LOCK signal may be activated explicitly by the "LOCK" instruction prefix 
or automatically by 802 86 hard ware during memory XCHG instructions, interrupt acknowledge, or 
descriptor table access. LOCK is active LOW and floats to 3-state OFF du ring bus hold acknowledge. 



READY 



Bus R eady ter minates a bus cycle. Bus cycles are extended without limit until terminated by READY 
LOW. READY is an active LOW synchro nous inp ut requiring setup and hold times relative to the 
system clock be met for correct operation. READY is ignored during bus hold acknowledge. 



HOLD 
HLDA 



Bus Hold Request and Hold Acknowledge control ownership of the 80286 local bus. The HOLD 
input allows another local bus master to request control of the local bus. When control is granted, the 
80286 will float its bus drivers to 3-state OFF and then activate HLDA, thus entering the bus hold 
acknowledge condition. The local bus will remain granted to the requesting master until HOLD 
becomes inactive which results in the 80286 deactivating HLDA and regaining control of the local 
bus. This terminates the bus hold acknowledge condition. HOLD may be asynchronous to the system 
clock. These signals are active HIGH. 



INTR 



Interrupt Request requests the 80286 to suspend its current program execution and service a 
pending external request. Interrupt requests are masked whenever the interrupt enable bit in the 
flag word is cleared. When the 80286 responds to an interrupt request, it performs two interrupt 
acknowledge bus cycles to read an 8-bit interrupt vector that identifies the source of the interrupt. To 
assure program interruption, INTR must remain active until the first interrupt acknowledge cycle is 
completed. INTR is sampled at the beginning of each processor cycle and must be active HIGH at 
least two processor cycles before the current instruction ends in order to interrupt before the next 
instruction. INTR is level sensitive, active HIGH, and may be asynchronous to the system clock. 



NMI 



Non-maskable Interrupt Request interrupts the 80286 with an internally supplied vector value of 
2. No interrupt acknowledge cycles are performed. The interrupt enable bit in the 80286 flag word 
does not affect this input. The NMI input is active HIGH, may be asynchronous to the system clock, 
and is edge triggered after internal synchronization. For proper recognition, the input must have 
been previously LOW for at least four system clock cycles and remain HIGH for at least four system 
clock cycles. 
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Table 1. Pin Description (Cont.) 



Symbol 


Type 


Name and Function 


PEREQ 
PEACK 


I 



Processor Extension Operand Request and Acknowledge extend the memory management and protection) 
capabilities of the 80286 to processor extensions. The PEREQ input requests the 80286 to perform a data, 
operand transfer for a processor extension. The PEACK output signals the processor extension when the, 
requested operand is being transferred. PEREQ is active HIGH and floats to 3-state OFF during bus hold| 
acknowledge. PEACK may be asynchronous to the system clock. PEACK is active LOW. 


BUSY 
ERROR 


I 
I 


Processor Extension Busy and Error indicate the operating condition of a processor extension 
to the 80286. An active BUSY input stops 80286 program execution on WAIT and some ESC 
instructions until BTJ57 becomes inactive (HIGH). The 80286 may be interrupted while waiting 
for BUST to become inactive. An active ERROR input causes the 80286 to perform a processor 
extension interrupt when executing WAIT or some ESC instructions. These inputs are active 
LOW and may be asynchronous to the system clock. 


RESET 


I 


System Reset clears the internal logic of the 80286 and is active HIGH. The 80286 may be re- 
initialized at any time with a LOW to HIGH transition on RESET which remains active for more than 
16 system clock cycles. During RESET active, the output pins of the 80286 enter the state shown 
below: 




80286 Pin State During Reset 




Pin Value 


Pin Names 


1 (HIGH) 
0(LOW) 
3-state OFF 


SO, S1 , PEACK, A23-A0, BHE, LOCK 

M/IO, COD/INTA, HLDA 

D15-D0 


Operation of the 80286 begins after a HIGH to LOW transition on RESET. The HIGH to LOW transi- 
tion of RESET must be synchronous to the system clock. Approximately 50 system clock cycles are 
required by the 80286 for internal initializations before the first bus cycle to fetch code from the 
power-on execution address is performed. 

A LOW to HIGH transition of RESET synchronous to the system clock will end a processor 
cycle at the second HIGH to LOW transition of the system clock. The LOW to HIGH transition 
of RESET may be asynchronous to the system clock; however, in this case it cannot be prede- 
termined which phase of the processor clock will occur during the next system clock period. 
Synchronous LOW to HIGH transitions of RESET are required only for systems where the 
processor clock must be phase synchronous to another clock. 


v S s 


I 


System Ground: VOLTS. 


v C c 


I 


System Power: + 5 Volt Power Supply. 


CAP 


I 


Substrate Filter Capacitor: a 0.047iif ± 20% 12V capacitor must be connected between this pin 
and ground. This capacitor filters the output of the internal substrate bias generator. A maximum DC 
leakage current of 1 ita is allowed through the capacitor. 

For correct operation of the 80286, the substrate bias generator must charge this capacitor to its 
operating voltage. The capacitor chargeup time is 5 milliseconds (max.) after Vqc ar| d CLK reach 
their specified AC and DC parameters. RESET may be applied to prevent spurious activity by the 
CPU during this time. After this time, the 80286 processor clock can be phase synchronized to 
another clock by pulsing RESET LOW synchronous to the system clock. 
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FUNCTIONAL DESCRIPTION 
Introduction 

The 80286 is an advanced, high-performance micro- 
processor with specially optimized capabilities for mul- 
tiple user and multi-tasking systems. Depending on the 
application, the 80286's performance is up to six times 
faster than the standard 5 MHz 8086's, while providing 
complete upward software compatibility with Intel's iAPX 
86, 88, and 186 family of CPU's. 

The 80286 operates in two modes: iAPX 86 real address 
mode and protected virtual address mode. Both modes 
execute a superset of the iAPX 86 and 88 instruction set. 

In iAPX 86 real address mode programs use real ad- 
dresses with up to one megabyte of address space. Pro- 
grams use virtual addresses in protected virtual address 
mode, also called protected mode. In protected mode, 
the 80286 CPU automatically maps 1 gigabyte of virtual 
addresses per task into a 16 megabyte real address 
space. This mode also provides memory protection to 
isolate the operating system and ensure privacy of each 
tasks' programs and data. Both modes provide the same 
base instruction set, registers, and addressing modes. 

The following Functional Description describes first, the 
base 80286 architecture common to both modes, sec- 
ond, iAPX 86 real address mode, and third, protected 
mode. 



Register Set 

The 80286 base architecture has fifteen registers as 
shown in Figure 3. These registers are grouped into the 
following four categories: 



General Registers: Eight 16-bit general purpose reg- 
isters used to contain arithmetic and logical operands. 
Four of these (AX, BX, CX, and DX) can be used either 
in their entirety as 16-bit words or split into pairs of sep- 
arate 8-bit registers. 



Segment Registers: Four 16-bit special purpose reg- 
isters select, at any given time, the segments of memory 
that are immediately addressable for code, stack, and 
data. (For usage, refer to Memory Organization.) 



Base and Index Registers: Four of the general pur- 
pose registers may also be used to determine offset ad- 
dresses of operands in memory. These registers may 
contain base addresses or indexes to particular loca- 
tions within a segment. The addressing mode deter- 
mines the specific registers used for operand address 
calculations. 



iAPX 286/10 BASE ARCHITECTURE 

The iAPX 86, 88, 186, and 286 CPU family all contain 
the same basic set of registers, instructions, and ad- 
dressing modes. The 80286 processor is upward com- 
patible with the 8086, 8088, and 80186 CPU's. 



Status and Control Registers: The 3 1 6-bit special 
purpose registers in figure 3A record or control cer- 
tain aspects of the 80286 processor state including 
the Instruction Pointer, which contains the offset 
address of the next sequential instruction to be 
executed. 



16-BIT 

REGISTER 

NAME 



BYTE 

ADDRESSABLE 

(8-BIT 

REGISTER 

NAMES 

SHOWN) 



AX 


AH 


AL 


DX 


DH 


DL 


CX 


CH 


CL 


BX 


BH 


BL 


BP 




SI 




Dl 




SP 





SPECIAL 
REGISTER 
FUNCTIONS 



MULTIPLY/DIVIDE 
I/O INSTRUCTIONS 



LOOP/SHIFT/REPEAT COUNT 
BASE REGISTERS 

INDEX REGISTERS 
STACK POINTER 



GENERAL 
REGISTERS 



cs 




DS 




SS 




ES 






SEGMENT REGISTERS 
15 


F 




IP 




MSW 





CODE SEGMENT SELECTOR 
DATA SEGMENT SELECTOR 
STACK SEGMENT SELECTOR 
EXTRA SEGMENT SELECTOR 



FLAGS 

INSTRUCTION POINTER 

MACHINE STATUS WORD 



STATUS AND CONTROL 
REGISTERS 



Figure 3. Register Set 
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STATUS FLAGS: 

CARRY 

PARITY 

AUXILIARY CARRY 

ZERO 

SIGN 

OVERFLOW 

13 



15 14 



EI 



EI 



MI 



MI 



MI 



CONTROL FLAGS: 
TRAP FLAG 
INTERRUPT ENABLE 
DIRECTION FLAG 



SPECIAL FIELDS: 
I/O PRIVILEGE LEVEL 
NESTED TASK FLAG 



BM1M11M1I11W 



TS I EM I MP I PE 



ESI 



INTEL RESERVED 



TASK SWITCH 

PROCESSOR EXTENSION EMULATED 

MONITOR PROCESSOR EXTENSION 

PROTECTION ENABLE 



Figure 3a. Status and Control Register Bit Functions 



Flags Word Description 

The Flags word (Flags) records specific characteristics 
of the result of logical and arithmetic instructions (bits 0, 
2, 4, 6, 7, and 1 1 ) and controls the operation of the 80286 
within a given operating mode (bits 8 and 9). Flags is a 
16-bit register. The function of the flag bits is given in 
Table 2. 

Instruction Set 

The instruction set is divided into seven categories: data 
transfer, arithmetic, shift/rotate/logical, string manipula- 
tion, control transfer, high level instructions, and pro- 
cessor control. These categories are summarized in 
Figure 4. 

An 80286 instruction can reference zero, one, or two 
operands; where an operand resides in a register, in the 
instruction itself, or in memory. Zero-operand instruc- 
tions (e.g. NOP and HLT) are usually one byte long. One- 
operand instructions (e.g. INC and DEC) are usually two 
bytes long but some are encoded in only one byte. One- 
operand instructions may reference a register or mem- 
ory location. Two-operand instructions permit the follow- 
ing six types of instruction operations: 

— Register to Register 
— Memory to Register 
— Immediate to Register 
— Memory to Memory 
— Register to Memory 
— Immediate to Memory 



Table 2. Flags Word Bit Functions 



Bit 
Position 


Name 


Function 





CF 


Carry Flag— Set on high-order bit 
carry or borrow; cleared otherwise 


2 


PF 


Parity Flag— Set if low-order 8 bits 
of result contain an even number of 
1 -bits; cleared otherwise 


4 


AF 


Set on carry from or borrow to the 
low order four bits of AL; cleared 
otherwise 


6 


ZF 


Zero Flag-Set if result is zero; 
cleared otherwise 


7 


SF 


Sign Flag — Set equal to high-order 
bit of result (0 if positive, 1 if negative) 


11 


OF 


Overflow Flag — Set if result is a too- 
large positive number or a too-small 
negative number (excluding sign-bit) 
to fit in destination operand; cleared 
otherwise 


8 


TF 


Single Step Flag — Once set, a sin- 
gle step interrupt occurs after the 
next instruction executes. TF is 
cleared by the single step interrupt. 


9 


IF 


Interrupt-enable Flag — When set, 
maskable interrupts will cause the 
CPU to transfer control to an inter- 
rupt vector specified location. 


10 


DF 


Direction Flag— Causes string 
instructions to auto decrement 
the appropriate index registers 
when set. Clearing DF causes 
auto increment. 
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Two-operand instructions (e.g. MOV and ADD) are usu- 
ally three to six bytes long. Memory to memory opera- 
tions are provided by a special class of string instructions 
requiring one to three bytes. For detailed instruction for- 
mats and encodings refer to the instruction set summary 
at the end of this document. 



GENERAL PURPOSE 


MOV 


Move byte or word 


PUSH 


Push word onto stack 


POP 


Pop word off stack 


PUSHA 


Push all registers on stack 


POPA 


Pop all registers from stack 


XCHG 


Exchange byte or word 


XLAT 


Translate byte 


INPUT/OUTPUT 


IN 


Input byte or word 


OUT 


Output byte or word 


ADDRESS OBJECT 


LEA 


Load effective address 


LDS 


Load pointer using DS . 


LES 


Load pointer using ES 


FLAG TRANSFER 


LAHF 


Load AH register from flags 


SAHF 


Store AH register in flags 


PUSHF 


Push flags onto stack 


POPF 


Pop flags off stack 



Figure 4a. Data Transfer Instructions 



MOVS 


Move byte or word string 


INS 


Input bytes or word string 


OUTS 


Output bytes or word string 


CMPS 


Compare byte or word string 


SCAS 


Scan byte or word string 


LODS 


Load byte or word string 


STOS 


Store byte or word string 


REP 


Repeat 


REPE/REPZ 


Repeat while equal/zero 


REPNE/REPNZ 


Repeat while not equal/not zero 



ADDITION 


ADD 


Add byte or word 


ADC 


Add byte or word with carry 


INC 


Increment byte or word by 1 


AAA 


ASCII adjust for addition 


DAA 


Decimal adjust for addition 


SUBTRACTION 


SUB 


Subtract byte or word 


SBB 


Subtract byte or word with borrow 


DEC 


Decrement byte or word by 1 


NEG 


Negate byte or word 


CMP 


Compare byte or word 


AAS 


ASCII adjust for subtraction 


DAS 


Decimal adjust for subtraction 


MULTIPLICATION 


MUL 


Multiply byte or word unsigned 


IMUL 


Integer multiply byte or word 


AAM 


ASCII adjust for multiply 


DIVISION 


DIV 


Divide byte or word unsigned 


IDIV 


Integer divide byte or word 


AAD 


ASCII adjust for division 


CBW 


Convert byte to word 


CWD 


Convert word to doubleword 



Figure 4b. Arithmetic Instructions 



LOGICALS 


NOT 


"Not" byte or word 


AND 


"And" byte or word 


OR 


"Inclusive or" byte or word 


XOR 


"Exclusive or" byte or word 


TEST 


"Test" byte or word 


SHIFTS 


SHL/SAL 


Shift logical/arithmetic left byte or word 


SHR 


Shift logical right byte or word 


SAR 


Shift arithmetic right byte or word 


ROTATES 


ROL 


Rotate left byte or word 


ROR 


Rotate right byte or word 


RCL 


Rotate through carry left byte or word 


RCR 


Rotate through carry right byte or word 



Figure 4c. String Instructions 



Figure 4d. Shift/Rotate/Logical Instructions 
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CONDITIONAL TRANSFERS 


UNCONDITIONAL TRANSFERS 


JA/JNBE 


Jump if above/not below nor equal 


CALL 


Call procedure 


JAE/JNB 


Jump if above or equal/not below 


RET 


Return from procedure 


JB/JNAE 


Jump if below/not above nor equal 


JMP 


Jump 


JBE/JNA 


Jump if below or equal/not above 


JC 


Jump if carry 


ITERATION CONTROLS 


JE/JZ 


Jump if equal/zero 


LOOP 


Loop 


JG/JNLE 


Jump if greater/not less nor equal 


JGE/JNL 


Jump if greater or equal/not less 


LOOPE/LOOPZ 


Loop if equal/zero 


JL/JNGE 


Jump if less/not greater nor equal 


LOOPNE/LOOPNZ 


Loop if not equal/not zero 


JLE/JNG 


Jump if less or equal/not greater 


JCXZ 


Jump if register CX = 


JNC 


Jump if not carry 


JNE/JNZ 


Jump if not equal/not zero 


INTERRUPTS 


JNO 


Jump if not overflow 


INT 


Interrupt 


JNP/JPO 


Jump if not parity/parity odd 


JNS 


Jump if not sign 


INTO 


Interrupt if overflow 


JO 


Jump if overflow 


IRET 


Interrupt return 


JP/JPE 


Jump if parity/parity even 


JS 


Jump if sign 



Figure 4e. Program Transfer Instructions 



FLAG OPERATIONS 


STC 


Set carry flag 


CLC 


Clear carry flag 


CMC 


Complement carry flag 


STD 


Set direction flag 


CLD 


Clear direction flag 


STI 


Set interrupt enable flag 


CLI 


Clear interrupt enable flag 


EXTERNAL SYNCHRONIZATION 


HLT 


Halt until interrupt or reset 


WAIT 


Wait for BUSY not active 


ESC 


Escape to extension processor 


LOCK 


Lock bus during next instruction 


NO OPERATION 


NOP 


No operation 


EXECUTION ENVIRONMENT CONTROL 


LMSW 


Load machine status word 


SMSW 


Store machine status word 



Memory Organization 

Memory is organized as sets of variable length seg- 
ments. Each segment is a linear contiguous sequence 
of up to 64K (216) 8-bit bytes. Memory is addressed us- 
ing a two-component address (a pointer) that consists 
of a 16-bit segment selector, and a 16-bit offset. The 
segment selector indicates the desired segment in 
memory. The offset component indicates the desired byte 
address within the segment. 



Figure 4f. Processor Control Instructions 



ENTER 


Format stack for procedure entry 


LEAVE 


Restore stack for procedure exit 


BOUND 


Detects values outside prescribed range 





32-BIT POINTER 


o 




<j 

. SELECTED 
SEGMENT 










SEGMENT 


OFFSET 






31 


16 15 ( 








T 


OPERAND 
SELECTED 










' 


MEMORY 



Figure 4g. High Level Instructions 



Figure 5. Two Component Address 
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Table 3. Segment Register Selection Rules 



Memory 
Reference Needed 


Segment Register 
Used 


Implicit Segment 
Selection Rule 


Instructions 


Code (CS) 


Automatic with instruction prefetch 


Stack 


Stack (SS) 


All stack pushes and pops. Any memory reference which uses BP as a 
base register. 


Local Data 


Data (DS) 


All data references except when relative to stack or string destination 


External (Global) Data 


Extra (ES) 


Alternate data segment and destination of string operation 



All instructions that address operands in memory must 
specify the segment and the offset. For speed and com- 
pact instruction encoding, segment selectors are usu- 
ally stored in the high speed segment registers. An 
instruction need specify only the desired segment reg- 
ister and an offset in order to address a memory operand. 

Most instructions need not explicitly specify which seg- 
ment register is used. The correct segment register is 
automatically chosen according to the rules of Table 3. 
These rules follow the way programs are written (see 
Figure 6) as independent modules that require areas for 
code and data, a stack, and access to external data areas. 

Special segment override instruction prefixes allow 
the implicit segment register selection rules to be 
overridden for special cases. The stack, data, and 
extra segments may coincide for simple programs. 
To access operands not residing in one of the four 
immediately available segments, a full 32-bit pointer 
or a new segment selector must be loaded. 

Addressing Modes 

The 80286 provides a total of eight addressing modes 
for instructions to specify operands. Two addressing 
modes are provided for instructions that operate on reg- 
ister or immediate operands: 

Register Operand Mode: The operand is located in 
one of the 8 or 1 6-bit general registers. 

Immediate Operand Mode. The operand is included 
in the instruction. 

Six modes are provided to specify the location of an op- 
erand in a memory segment. A memory operand ad- 
dress consists of two 16-bit components: segment 
selector and offset. The segment selector is supplied by 
a segment register either implicitly chosen by the ad- 
dressing mode or explicitly chosen by a segment over- 
ride prefix. The offset is calculated by summing any 
combination of the following three address elements: 

the displacement (an 8 or 16-bit immediate value 
contained in the instruction) 

the base (contents of either the BX or BP base 
registers) 

the index (contents of either the SI or Dl index registers) 
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Figure 6. Segmented Memory Helps 
Structure Software 

Any carry out from the 16-bit addition is ignored. Eight- 
bit displacements are sign extended to 16-bit values. 

Combinations of these three address elements define 
the sjx memory addressing modes, described below. 

Direct Mode: The operand's offset is contained in the 
instruction as an 8 or 1 6-bit displacement element. 

Register Indirect Mode: The operand's offset is in one 
of the registers SI, Dl, BX ; or BP. 

Based Mode: The operand's offset is the sum of an 8 or 
16-bit displacement and the contents of a base register 
(BXorBP). 
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Indexed Mode: The operand's offset is the sum of an 8 
or 16-bit displacement and the contents of an index reg- 
ister (SI or Dl). 

Based Indexed Mode: The operand's offset is the sum 
of the contents of a base register and an index register. 

Based Indexed Mode with Displacement: The oper- 
and's offset is the sum of a base register's contents, an 
index register's contents, and an 8 or 16-bit displacement. 

Data Types 

The 80286 directly supports the following data types: 
Integer: A signed binary numeric value con- 

tained in an 8-bit byte or a 16-bit word. 
All operations assume a 2's comple- 
ment representation. Signed 32 and 64- 
bit integers are supported using the iAPX 
286/20 Numeric Data Processor. 

Ordinal: An unsigned binary numeric value con- 

tained in an 8-bit byte or 1 6-bit word. 

Pointer: A 32-bit quantity, composed of a seg- 

ment selector component and an offset 
component. Each component is a 1 6-bit 
word. 

String: A contiguous sequence of bytes or 

words. A string may contain from 1 byte 
to 64K bytes. 

ASCII: A byte representation of alphanumeric 

and control characters using the ASCII 
standard of character representation. 

BCD: A byte (unpacked) representation of the 

decimal digits 0-9. 

Packed BCD: A byte (packed) representation of two 
decimal digits 0-9 storing one digit in 
each nibble of the byte. 

Floating Point: A signed 32, 64, or 80-bit real number 
representation. (Floating point operands 
are supported using the iAPX 286/20 
Numeric Processor configuration.) 

Figure 7 graphically represents the data types sup- 
ported by the iAPX 286. 



I/O Space 

The I/O space consists of 64K 8-bit or 32K 16-bit ports. 
I/O instructions address the I/O space with either an 8- 
bit port address, specified in the instruction, or a 16-bit 
port address in the DX register. 8-bit port addresses are 
zero extended such that A^-Ag are LOW. I/O port ad- 
dresses 00F8(H) through 00FF(H) are reserved. 



SIGNED 


nn iii 


BYTE | | I | 


SIGN BIT -J 1 1 


MAGNITUDE 


UNSIGNED 


7 


1 1 1 1 1 1 1 1 


BYTE | 1 | 




L MSB i 


MAGNITUDE 


1514 + 1 8 7 ° 


SIGNED 


II III ITI III 


WORD 


Ml 1 ! 


SIGN BIT 


J I L -MSB | 



MAGNITUDE 
SIGNED 31 " r3 +2 16 15 



DOUBLE ||"|lll|lll|lll|lll|IM|lll|lirj 
SIGN BIT-J 1 1- MSB | 



+ 7 +6 +5 +4 +3 + 2 +1 

SIGNED 63 48 47 3231 1615 

QUAD 



SIGN BIT -V- MSB 







UNSIGNED I I I I I I II II II II I I I 
WORD I ' I ' I 



, L -MSB 



MAGNITUDE 
+ N „ 



r^ 7 ] 



BINARY 

CODED 

DECIMAL 

(BCD) BCD 

y ' DIGIT N 

7 + " , 
I I II I I I 



II I I I I I II I I | I I I 



BCD BCD 

DIGIT 1 DIGIT 



ASCII 



ASCII 
CHARACTER^ 



PACKED rTTTTTTTl 



ASCII ASCII 
CHARACTER, CHARACTERo 



c 



I I I I I I I I I I I I I 



LEAST 
SIGNIFICANT DIGIT 



I I II I I II I ... Ill I | I I I III I |l 



BYTE/WORD N 



BYTE/WORD 1 BYTE/WORD 



31 "^ * 


" 1615 * 




' 




POINTER |"T"|'" 


I I I I I I I 


1 1 1 1 1 1 1 


'"1 




1 


1 




1 




SELECTOR 

79 +9 +8 + 7 


+ 6 +5 


OFFSET 

+ 4 +3 


+ 2 +1 





"^11 1 l 1 1 1 1 1 1 1 


SIGN BIT-", | | 



EXPONENT MAGNITUDE 

'Supported by iAPX 286/20 Numeric Data Processor Configuration 



Figure 7. iAPX 286 Supported Data Types 
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Table 4. Interrupt Vector Assignments 



Function 


Interrupt 
Number 


Related 
Instructions 


Return Address 

Before Instruction 

Causing Exception? 


Divide error exception 





DIV, IDIV 


Yes 


Single step interrupt 


1 


All 




N Ml interrupt 


2 


All 




Breakpoint interrupt 


3 


INT 




INTO detected overflow exception 


4 


INTO 


No 


BOUND range exceeded exception 


5 


BOUND 


Yes 


Invalid opcode exception 


6 


Any undefined opcode 


Yes 


Processor extension not available exception 


7 


ESC or WAIT 


Yes 


Reserved 


8-15 






Processor extension error interrupt 


16 


ESC or WAIT 




Reserved 


17-31 






User defined 


32-255 







Interrupts 

An interrupt transfers execution to a new program loca- 
tion. The old program address (CS:IP) and machine state 
(Flags) are saved on the stack to allow resumption 
of the interrupted program. Interrupts fall into three 
classes: hardware initiated, INT instructions, andinstruc- 
tion exceptions. Hardware initiated interrupts occur 
in response to an external input and are classified 
as non-maskable or maskable. Programs may cause 
an interrupt with an INT instruction. Instruction excep- 
tions occur when an unusual condition, which pre- 
vents further instruction processing, is detected while 
attempting to execute an instruction. The return ad- 
dress from an exception will always point at the in- 
struction causing the exception and include any leading 
instruction prefixes. 

A table containing up to 256 pointers defines the proper 
interrupt service routine for each interrupt. Interrupts 0- 
31, some of which are used for instruction exceptions, 
are reserved. For each interrupt, an 8-bit vector must be 
supplied to the 80286 which identifies the appropriate 
table entry. Exceptions supply the interrupt vector inter- 
nally. INT instructions contain or imply the vector and 
allow access to all 256 interrupts. Maskable hardware 
initiated interrupts supply the 8-bit vector to the CPU 
during an interrupt acknowledge bus sequence. Non- 
maskable hardware interrupts use a predefined inter- 
nally supplied vector. 

MASKABLE INTERRUPT (INTR) 

The 80286 provides a maskable hardware interrupt re- 
quest pin, INTR. Software enables this input by setting 



the interrupt flag bit (IF) in the flag word. All 224 user- 
defined interrupt sources can share this input, yet they 
can retain separate interrupt handlers. An 8-bit vector 
read by the CPU during the interrupt acknowledge se- 
quence (discussed in System Interface section) identi- 
fies the source of the interrupt. 

Further maskable interrupts are disabled while servic- 
ing an interrupt by resetting the IF but as part of the 
response to an interrupt or exception. The saved flag 
word will reflect the enable status of the processor prior 
to the interrupt. Until the flag word is restored to the flag 
register, the interrupt flag will be zero unless specifically 
set. The interrupt return instruction includes restoring 
the flag word, thereby restoring the original status of IF. 

NON-MASKABLE INTERRUPT REQUEST (NMI) 

A non-maskable interrupt input (NMI) is also provided. 
NMI has higher priority than INTR. A typical use of NMI 
would be to activate a power failure routine. The activa- 
tion of this input causes an interrupt with an internally 
supplied vector value of 2. No external interrupt ac- 
knowledge sequence is performed. 

While executing the NMI servicing procedure, the80286 
will service neither further NMI requests, INTR re- 
quests, nor the processor extension segment overrun 
interrupt until an interrupt return (IRET) instruction is ex- 
ecuted or the CPU is reset. If NMI occurs while currently 
servicing an NMI, its presence will be saved for servic- 
ing after executing the first IRET instruction. IF is cleared 
at the beginning of an NMI interrupt to inhibit INTR 
interrupts. 
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SINGLE STEP INTERRUPT 

The 80286 has an internal interrupt that allows pro- 
grams to execute one instruction at a time. It is called the 
single step interrupt and is controlled by the single step 
flag bit (TF) in the flag word. Once this bit is set, an inter- 
nal single step interrupt will occur after the next instruc- 
tion has been executed. The interrupt clears the TF bit 
and uses an internally supplied vector of 1. The IRET 
instruction is used to set the TF bit and transfer control 
to the next instruction to be single stepped. 

Interrupt Priorities 

When simultaneous interrupt requests occur, they are 
processed in a fixed order as shown in Table 5. Interrupt 
processing involves saving the flags, return address, and 
setting CS:IP to point at the first instruction of the inter- 
rupt handler. If other interrupts remain enabled they are 
processed before the first instruction of the current in- 
terrupt handler is executed. The last interrupt processed 
is therefore the first one serviced. 

Table 5. Interrupt Processing Order 



Table 6. 80286 Initial Register State after RESET 



Order 


Interrupt 


1 


INT instruction or exception 


2 


Single step 


3 


NMI 


4 


Processor extension segment overrun 


5 


INTR 



Initialization and Processor Reset 

Processor initialization or start up is accomplished by 
driving the RESET input pin HIGH. RESET forces the 
80286 to terminate all execution and local bus activity. 
No instruction or bus activity will occur as long as RE- 
SET is active. After RESET becomes inactive and an 
internal processing interval elapses, the 80286 begins 
execution in real address mode with the instruction at 
physical location FFFFFO(H). RESET also sets some 
registers to predefined values as shown as shown in 
Table 6. 



Flag word 


0002(H) 


Machine Status Word 


FFF0(H) 


Instruction pointer 


FFF0(H) 


Code segment 


F000(H) 


Data segment 


0000(H) 


Extra segment 


0000(H) 


Stack segment 


0000(H) 



Machine Status Word Description 

The machine status word (MSW) records when a task 
switch takes plaej£and controls the operating mode of 
the 80286. It is a 16-bit register of which the lower four 
bits are used. One bit places the CPU into protected 
mode, while the other three bits, as shown in Table 7, 
control the processor extension interface. After RESET, 
this register contains FFF0(H) which places the 80286 
in iAPX 86 real address mode. 

Table 7. MSW Bit Functions 



Bit 
Position 


Name 


Function 





PE 


Protected mode enable places the 
80286 into protected mode and can 
not be cleared except by RESET. 


1 


MP 


Monitor processor extension al- 
lows WAIT instructions to cause a 
processor extension not present 
exception (number 7). 


2 


EM 


Emulate processor extension 
causes a processor extension not 
present exception (number 7) on 
ESC instructions to allow emulat- 
ing a processor extension. 


3 


TS 


Task switched indicates the next 
instruction using a processor ex- 
tension will cause exception 7, al- 
lowing software to test whether the 
current processor extension con- 
text belongs to the current task. 



The LMSW and SMSW instructions can load and store 
the MSW in real address mode. The recommended use 
of TS, EM, and MP is shown in Table 8. 



Table 8. Recommended MSW Encodings For Processor Extension Control 



TS 


MP 


EM 


Recommended Use 


Instructions 

Causing 
Exception 7 











Initial encoding after RESET. iAPX 286 operation is identical to 
iAPX 86,88. 


None 








1 


No processor extension is available. Software will emulate its function. 


ESC 


1 





1 


No processor extension is available. Software will emulate its function. The current 
processor extension context may belong to another task. 


ESC 





1 





A processor extension exists. 


None 


1 


1 





A processor extension exists. The current processor extension context may belong 
to another task. The exception on WAIT allows software to test for an error pending 
from a previous processor extension operation. 


ESC or 
WAIT 
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Halt 

The HLT instruction stops program execution and pre- 
vents the CPU from using the local bus until restarted. 
Either NMI, INTR with IF =. 1, or RESET will force the 
80286 out of halt. If interrupted, the saved CS:IP will 
point to the next instruction after the HLT. 



iAPX 86 REAL ADDRESS MODE 

The 80286 executes a fully upward-compatible superset 
of the 8086 instruction set in real address mode. In real 
address mode the 80286 is object code compatible with 
8086 and 8088 software. The real address mode archi- 
tecture (registers and addressing modes) is exactly as 
described in the iAPX 286/10 Base Architecture section 
of this Functional Description. 

Memory Size 

Physical memory is a contiguous array of up to 
1,048,576 bytes (on e meg abyte) addressed by pins 
A through A 19 and BHE. A 20 through A 23 may be 
ignored. 



Memory Addressing 

In real address mode the processor generates 20-bit 
physical addresses directly from a 20-bit segment base 
address and a 1 6-bit offset. 

The selector portion of a pointer is interpreted as the 
upper 16 bits of a 20-bit segment address. The lower 
four bits of the 20-bit segment address are always zero. 
Segment addresses, therefore, begin on multiples of 16 
bytes. See Figure 8 for a graphic representation of ad- 
dress formation. 

All segments in real address mode are 64K bytes in size 
and may be read, written, or executed. An exception or 
interrupt can occur if data operands or instructions at- 
tempt to wrap around the end of a segment (e.g. a word 
with its low order byte at offset FFFF(H) and its high 
order byte at offset 0000(H)). If, in real address mode, 
the information contained in a segment does not use the 
full 64K bytes, the unused end of the segment may be 
overlayed by another segment to reduce physical mem- 
ory requirements. 

Reserved Memory Locations 

The 80286 reserves two fixed areas of memory in real 
address mode (see Figure 9); system initialization area 
and interrupt table area. Locations from addresses 
FFFFO(H) thorugh FFFFF(H) are reserved for system 
initialization. Initial execution begins at location FFFFO(H). 
Locations 00000(H) through 003FF(H) are reserved for 
interrupt vectors. 
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OFFSET 
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Figure 8. iAPX 86 Real Address Mode Address 
Calculation 
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Figure 9. iAPX 86 Real Address Mode Initially 
Reserved Memory Locations 
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Table 9. Real Address Mode Addressing Interrupts 



Function 


Interrupt 
Number 


Related 
Instructions 


Return Address 
Before Instruction? 


Interrupt table limit too small exception 


8 


INT vector is not within table limit 


Yes 


Processor extension segment overrun 
interrupt 


9 


ESC with memory operand extend- 
ing beyond offset FFFF(H) 


No 


Segment overrun exception 


13 


Word memory reference with offset 
= FFFF(H) or an attempt to exe- 
cute past the end of a segment 


Yes 



Interrupts 

Table 9 shows the interrupt vectors reserved for excep- 
tions and interrupts which indicate an addressing error. 
The exceptions leave the CPU in the state existing be- 
fore attempting to execute the failing instruction (except 
for PUSH, POP, PUSHA, or POPA). Refer to the next 
section on protected mode initialization for a discussion 
on exception 8. 

Protected Mode Initialization 

To prepare the 80286 for protected mode, the LIDT in- 
struction is used to load the 24-bit interrupt table base 
and 16-bit limit for the protected mode interrupt table. 
This instruction can also set a base and limit for the in- 
terrupt vector table in real address mode. After reset, 
the interrupt table base is initialized to 000000(H) and 
its size set to 03FF(H). These values are compatible 
with iAPX 86, 88 software. LIDT should only be exe- 
cuted in preparation for protected mode. 

Shutdown 

Shutdown occurs when a severe error is detected that 
prevents further instruction processing by the CPU. 
Shutdown and halt are externally signalled via a halt bus 
operation. They can be distinguished by A-| HIGH for halt 
and A-| LOW for shutdown. In real address mode, shut- 
down can occur under two conditions: 

• Exceptions 8 or 13 happen and the IDT limit does not 
include the interrupt vector. 

• A CALL, INT, or POP instruction attempts to wrap 
around the stack segment when SP is not even. 

An NMI input can bring the CPU out of shutdown if the 
IDT limit is at least 000F(H) and SP is greater than 
0005(H), otherwise shutdown can only be exited via the 
RESET input. 



PROTECTED VIRTUAL ADDRESS MODE 

The 80286 executes a fully upward-compatible superset 
of the 8086 instruction set in protected virtual address 
mode (protected mode). Protected mode also provides 
memory management and protection mechanisms and 
associated instructions. 

The 80286 enters protected virtual address mode from 
real address mode by setting the PE (Protection En- 
able) bit of the machine status word with the Load Ma- 
chine Status Word (LMSW) instruction. Protected mode 
offers extended physical and virtual memory address 
space, memory protection mechanisms, and new oper- 
ations to support operating systems and virtual memory. 

All registers, instructions, and addressing modes de- 
scribed in the iAPX 286/10 Base Architecture section of 
this Functional Description remain the same. Programs 
for the iAPX 86, 88, 186, and real address mode 80286 
can be run in protected mode; however, embedded con- 
stants for segment selectors are different. 

Memory Size 

The protected mode 80286 provides a 1 gigabyte virtual 
address space per task mapped into a 16 megabyte 
physical addr ess space defined by the address pins A23- 
Aq and BHE. The virtual address space may be larger 
than the physical address space since any use of an 
address that does not map to a physical memory loca- 
tion will cause a restartable exception. 

Memory Addressing 

As in real address mode, protected mode uses 32-bit 
pointers, consisting of 16-bit selector and offset com- 
ponents. The selector, however, specifies an index into 
a memory resident table rather than the upper 1 6-bits of 
a real memory address. The 24-bit base address of the 
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desired segment is obtained from the tables in memory. 
The 16-bit offset is added to the segment base address 
to form the physical address as shown in Figure 10. The 
tables are automatically referenced by the CPU when- 
ever a segment register is loaded with a selector. All 
iAPX 286 instructions which load a segment register will 
reference the memory based tables without additional 
software. The memory based tables contain 8 byte val- 
ues called descriptors. 



31 16 15 



POINTER SELECTOR OFFSET 




PHYSICAL MEMORY 



SEGMENT 

DESCRIPTOR 

TABLE 



DESCRIPTORS 

Descriptors define the use of memory. Special types of 
descriptors also define new functions for transfer of con- 
trol and task switching. The 80286 has segment de- 
scriptors for code, stack and data segments, and system 
control descriptors for special system data segments and 
control transfer operations. Descriptor accesses are 
performed as locked bus operations to assure descrip- 
tor integrity in multi-processor systems. 

CODE AND DATA SEGMENT DESCRIPTORS 

Besides segment base addresses, code and data de- 
scriptors contain other segment attributes including 
segment size (1 to 64K bytes), access rights (read only, 
read/write, execute only, and execute/read), and pres- 
ence in memory (for virtual memory systems) (See Fig- 
ure 11). Any segment usage violating a segment attribute 
indicated by the segment descriptor will prevent the 
memory cycle and cause an exception or interrupt. 

Segment Descriptor 



Figure 10. Protected Mode Memory Addressing 





7 7 


+ 6 

+ 4 

+ 2 




+ 7 

ACCESS 
RIGHTS BYTE 

+ 3 
+ 1 


I 
INTEL RESERVED* 


P 


DPL 

1 


S 


TYPE 
1 1 


A 


BASE23-I6 


BASE,5-o 

I 


LIMIT15-0 

I 


15 8 7 
'Must be set to for compatibility with IAPX 388. 



Access Rights Byte Definition 



r 



L 



Bit 
Position 


Name 


Function 


7 

6-5 
4 


Present (P) 

Descriptor Privilege 
Level (DPL) 

Segment Descrip- 
tor (S) 


P = 1 Segment is mapped into physical memory. 
P = No mapping to physical memory exists, base and limit are not used. 
Segment privilege attribute used in privilege tests. 

S = 1 Code or Data segment descriptor 
S = Non-segment descriptor 


3 
2 

1 


Executable (E) 
Expansion Direc- 
tion (ED) 

Writeable (W) 


E = Data segment descriptor type is: 

ED = Grow up segment, offsets must be «s limit. 

ED = 1 Grow down segment, offsets must be > limit. 

W = Data segment may not be written into. 

W=1 Data segment may be written into. 


Data 
Segment 


3 
2 

1 


Executable (E) 
Conforming (C) 
Readable (R) 


E = 1 Code Segment Descriptor type is: 

C = 1 Code segment may only be executed when CPL s» DPL. 

R = Code segment may not be read. 

R = 1 Code segment may be read. 


_Code 
Segment 





Accessed (A) 


A = Segment has not been accessed. 

A = 1 Segment selector has been loaded into segment register or used by 
selector test instructions. 



Figure 11. Code and Data Segment Descriptor Formats 
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Code and data are stored in two types of segments: 
code segments and data segments. Both types are 
identified and defined by segment descriptors. Code 
segments are identified by the executable (E) bit set to 
1 in the descriptor access rights byte. The access rights 
byte of both code and data segment descriptor types 
have three fields in common: present (P) bit, Descriptor 
Privilege Level (DPL), and accessed (A) bit. If P = 0, 
any attempted use of this segment will cause a not-pres- 
ent exception. DPL specifies the privilege level of the 
segment descriptor. DPL effects when the descriptor may 
be used by a task (refer to privilege discussion below). 
The A bit shows whether the segment has been previ- 
ously accessed for usage profiling, a necessity for vir- 
tual memory systems. The CPU will always set this bit 
when accessing the descriptor. 

Data segments (S = 1 , E = 0) may be either read-only or 
read-write as controlled by the W bit of the access rights 
byte. Read-only (W= 0) data segments may not be writ- 
ten into. Data segments may grow in two directions, as 
determined by the Expansion Direction (ED) bit: up- 
wards (ED = 0) for data segments, and downwards 
(ED = 1 ) for a segment containing a stack. The limit field 
for a data segment descriptor is interpreted differently 
depending on the ED bit (see Figure 11). 

A code segment (S=1, E=1) may be execute-only 
or execute/read as determined by the Readable (R) 
bit. Code segments may never be written into and 
execute-only code segments (R=0) may not be read. 
A code segment may also have an attribute called 
conforming (C). A conforming code segment may be 
shared by programs that execute at different privi- 
lege levels. The DPL of a conforming code segment 
defines the range of privilege levels at which the 
segment may be executed (refer to privilege discus- 
sion below). The limit field identifies the last byte of 
a code segment. 

SYSTEM CONTROL DESCRIPTORS 

In addition to code and data segment descriptors, the 
protected mode 80286 defines system control descrip- 
tors. These descriptors define special system data seg- 
ments and control transfer mechanisms in the protected 
environment. The special system data segment de- 
scriptors define segments which contain tables of de- 
scriptors (Local Descriptor Table Descriptor) and 
segments which contain the execution state of a task 
(Task State Segment Descriptor). 

The control transfer descriptors are call gates, task gates, 
interrupt gates and trap gates. Gates provide a level of 
indirection between the source and destination of the 
control transfer. This indirection allows the CPU to au- 
tomatically perform protection checks and control the 
entry point of the destination. Call gates are used to 
change privilege levels (see Privilege), task gates are 
used to perform a task switch, and interrupt and trap 
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+ 3 
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1 
INTEL RESERVED* 


+ 6 

+ 4 

+ 2 




P 


DPL 

1 





TYPE 
1 1 1 


BASE 23 -i8 


BASE15-0 

1 


LIMIT15-0 

I 


15 8 7 

'Must be sat to for compatibility with IAPX 386. 





System Segment Descriptor Fields 



Name 


Value 


Description 


TYPE 


1 
2 
3 


Available Task State Segment 
Local Descriptor Table Descriptor 
Busy Task State Segment 


P 



1 


Descriptor contents are not valid 
Descriptor contents are valid 


DPL 


0-3 


Descriptor Privilege Level 


BASE 


24-bit 
number 


Base Address of special system data 
segment in real memory 


LIMIT 


16-bit 
number 


Offset of last byte in segment 



Figure 12. System Segment Format 

gates are used to specify interrupt service routines. The 
interrupt gate disables interrupts (resets IF) while the 
trap gate does not. 

Figure 12 gives the formats for the special system data 
segment descriptors. The descriptors contain a 24-bit 
base address of the segment and a 16-bit limit. The ac- 
cess byte defines the type of descriptor, its state and 
privilege level. The descriptor contents are valid and the 
segment is in physical memory if P = 1 . If P = 0, the 
segment is not valid. The DPL field is only used in Task 
State Segment descriptors and indicates the privilege 
level at which the descriptor may be used (see Privi- 
lege). Since the Local Descriptor Table descriptor may 
only be used by a special privileged instruction, the DPL 
field is not used. Bit 4 of the access byte is to indicate 
that it is a system control descriptor. The type field spec- 
ifies the descriptor type as indicated in Figure 1 2. 

Figure 13 shows the format of the gate descriptors. The 
descriptor contains a destination pointer that points to 
the descriptor of the target segment and the entry point 
offset. The destination selector in an interrupt gate, trap 
gate, and call gate must refer to a code segment de- 
scriptor. These gate descriptors contain the entry point 
to prevent a program from constructing and using an 
illegal entry point. Task gates may only refer to a task 
state segment. Since task gates invoke a task switch, 
the destination offset is not used in the task gate. 

Exception 13 is generated when the gate is used if a 
destination selector does not refer to the correct de- 
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Gate Descriptor 





7 07 




+ 7 
+ 5 
+ 3 
+ 1 


1 
INTEL RESERVED* 


+ 6 

+ 4 

+ 2 




P 


DPL 
1 





TYPE 
1 1 1 


XXX 

1 1 


WORD 
COUNT4-0 


DESTINATION SELECTOR^ 

I 


X X 


DESTINATION OFFSET 15 -o 

1 


15 8 7 

'Must ba set to lor compatablllty with IAPX 386. (X Is don't 


:are) 



Gate Descriptor Fields 



Name 


Value 


Description 


TYPE 


4 
5 
6 
7 


-Call Gate 
-Task Gate 
-Interrupt Gate 
-Trap Gate 


P 



1 


-Descriptor Contents are not 

valid 
-Descriptor Contents are 

valid 


DPL 


0-3 


Descriptor Privilege Level 


WORD 
COUNT 


0-31 


Number of words to copy 
from callers stack to called 
procedures stack. Only used 
with call gate. 


DESTINATION 
SELECTOR 


16-bit 
selector 


Selector to the target code 
segment (Call, Interrupt or 
Trap Gate) 

Selector to the target task 
state segment (Task Gate) 


DESTINATION 
OFFSET 


16-bit 
offset 


Entry point within the target 
code segment 



Figure 13. Gate Descriptor Format 

scriptor type. The word count field is used in the call gate 
descriptor to indicate the number of parameters (0-31 
words) to be automatically copied from the caller's stack 
to the stack of the called routine when a control transfer 
changes privilege levels. The word count field is not used 
by any other gate descriptor. 

The access byte format is the same for all gate descrip- 
tors. P = 1 indicates that the gate contents are valid. P 
= indicates the contents are not valid and causes ex- 



ception 11. if referenced. DPL is the descriptor privilege 
level and specifies when this descriptor may be used by 
a task (refer to privilege discussion below). Bit 4 must 
equal to indicate a system control descriptor. The type 
field specifies the descriptor type as indicated in Figure 
13. 

SEGMENT DESCRIPTOR CACHE REGISTERS 

A segment descriptor cache register is assigned to each 
of the four segment registers (CS, SS, DS, ES). Seg- 
ment descriptors are automatically loaded (cached) into 
a segment descriptor cache register (Figure 14) when- 
ever the associated segment register is loaded with a 
selector. Only segment descriptors may be loaded into 
segment descriptor cache registers. Once loaded, all 
references to that segment of memory use the cached 
descriptor information instead of reaccessing memory. 
The descriptor cache registers are not visible to pro- 
grams. No instructions exist to store their contents. They 
only change when a segment register is loaded. 

SELECTOR FIELDS 

A protected mode selector has three fields: descriptor 
entry index, local or global descriptor table indicator (Tl) , 
and selector privilege (RPL) as shown in Figure 15. These 
fields select one of two memory based tables of descrip- 
tors, select the appropriate table entry and allow high- 
speed testing of the selector's privilege attribute (refer 
to privilege discussion below). 
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LOCAL AND GLOBAL DESCRIPTOR TABLES 

Two tables of descriptors, called descriptor tables, con- 
tain all descriptors accessible by a task at any given time. 
A descriptor table is a linear array of up to 81 92 descrip- 
tors. The upper 1 3 bits of the selector value are an index 
into a descriptor table. Each table has a 24-bit base reg- 
ister to locate the descriptor table in physical memory 
and a 16-bit limit register that confine descriptor access 
to the defined limits of the table as shown in Figure 16. A 
restartable exception (13) will occur if an attempt is made 
to reference a descriptor outside the table limits. 

One table, called the Global Descriptor Table (GDT), 
contains descriptors available to all tasks. The other ta- 
ble, called the Local Descriptor Table (LDT), contains 
descriptors that can be private to a task. Each task may 
have its own private LDT. The GDT may contain all de- 
scriptor types except interrupt and trap descriptors. The 
LDT may contain only segment, task gate, and call gate 
descriptors. A segment cannot be accessed by a task if 
its segment descriptor does not exist in either descriptor 
table at the time of access. 



r^j MEMORY *v, 



LDT 
SELECTOR 



PROGRAM INVISIBLE 
L J 
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LDT! 



LDT„ 



CURRENT 
LDT 



Figure 16. Local and Global Descriptor 
Table Definition 

The LGDT and LLDT instructions load the base and limit 
of the global and local descriptor tables. LGDT and LLDT 
are protected. They may only be executed by trusted 
programs operating at level 0. The LGDT instruction loads 
a six byte field containing the 1 6-bit table limit and 24-bit 
base address of the Global Descriptor Table as shown 
in Figure 17. The LLDT instruction loads a selector which 
refers to a Local Descriptor Table descriptor containing 
the base address and limit for an LDT, as shown in Fig- 
ure 12. 
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Figure 17. Global Descriptor Table and Interrupt 
Descriptor Table Data Type 

INTERRUPT DESCRIPTOR TABLE 

The protected mode 80286 has a third descriptor table, 
called the Interrupt Descriptor Table (IDT) (see Figure 
18), used to define up to 256 interrupts. It may contain 
only task gates, interrupt gates and trap gates. The IDT 
(Interrupt Descriptor Table) has a 24-bit base and 16-bit 
limit register in the CPU. The protected LIDT instruction 
loads these registers with a six byte value of identical 
form to that of the LGDT instruction (see Figure 17 and 
Protected Mode Initialization). 
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Figure 18. Interrupt Descriptor Table Definition 

References to IDT entries are made via INT instruc- 
tions, external interrupt vectors, or exceptions. The IDT 
must be at least 256 bytes in size to allocate space for 
all reserved interrupts. 

Privilege 

The 80286 has a four-level hierarchical privilege system 
which controls the use of privileged instructions and ac- 
cess to descriptors (and their associated segments) within 
a task. Four-level privilege, as shown in Figure 19, is an 
extension of the user/supervisor mode commonly found 
in minicomputers. The privilege levels are numbered 
through 3. Level is the most privileged level. Privilege 
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Figure 19. Hierarchical Privilege Levels 

levels provide protection within a task. (Tasks are iso- 
lated by providing private LDT's for each task.) Operat- 
ing system routines, interrupt handlers, and other system 
software can be included and protected within the vir- 
tual address space of each task using the four levels of 
privilege. Tasks may also have a separate stack for each 
privilege level. 

Tasks, descriptors, and selectors have a privilege level 
attribute that determines whether the descriptor may be 
used. Task privilege effects the use of instructions and 
descriptors. Descriptor and selector privilege only effect 
access to the descriptor. 



TASK PRIVILEGE 

A task always executes at one of the four privilege levels. 
The task privilege level at any specific instant is called 
the Current Privilege Level (CPL) and is defined by the 
lower two bits of the CS register. CPL cannot change 
during execution in a single code segment. A task's CPL 
may only be changed by control transfers through gate 
descriptors to a new code segment (See Control Trans- 
fer). Tasks begin executing at the CPL value specified 
by the code segment when the task is initiated via a task 
switch operation. A task executing at Level can access 
all data segments defined in the GDT and the task's LDT 
and is considered the most trusted level. A task execut- 
ing at Level 3 has the most restricted access to data and 
is considered the least trusted level. 



DESCRIPTOR PRIVILEGE 

Descriptor privilege is specified by the Descriptor Privi- 
lege Level (DPL) field of the descriptor access byte. DPL 
specifies the least trusted task privilege level (CPL) at 



which a task may access the descriptor. Descriptors with 
DPL = are the most protected. Only tasks executing 
at privilege level (CPL = 0) may access them. De- 
scriptors with DPL = 3 are the least protected (i.e. have 
the least restricted access) since tasks can access them 
when CPL = 0,1 ,2, or 3. This rule applies to all descrip- 
tors, except LDT descriptors. 



SELECTOR PRIVILEGE 

Selectbr privilege is specified by the Requested Privi- 
lege Level (RPL) field in the least significant two bits of a 
selector. Selector RPL may establish a less trusted priv- 
ilege level than the current privilege level for the use of a 
selector. This level is called the task's effective privilege 
level (EPL). RPL can only reduce the scope of a task's 
access to data with this selector. A task's effective privi- 
lege is the numeric maximum of RPL and CPL. A selec- 
tor with RPL = imposes no additional restriction on its 
use while a selector with RPL = 3 can only refer to seg- 
ments at privilege Level 3 regardless of the task's CPL. 
RPL is generally used to verify that pointer parameters 
passed to a more trusted procedure are not allowed to 
use data at a more privileged level than the caller (refer 
to pointer testing instructions) . 



Descriptor Access and Privilege Validation 

Determining the ability of a task to access a segment 
involves the type of segment to be accessed, the in- 
struction used, the type of descriptor used and CPL, 
RPL, and DPL. The two basic types of segment ac- 
cesses are control transfer (selectors loaded into CS) 
and data (selectors loaded into DS, ES or SS). 



DATA SEGMENT ACCESS 

Instructions that load selectors into DS and ES must 
refer to a data segment descriptor or readable code seg- 
ment descriptor. The CPL of the task and the RPL of the 
selector must be the same as or more privileged (nu- 
merically equal to or lower than) than the descriptor DPL. 
In general, a task can only access data segments at the 
same or less privileged levels than the CPL or RPL 
(whichever is numerically higher) to prevent a program 
from accessing data it cannot be trusted to use. 

An exception to the rule is a readable conforming code 
segment. This type of code segment can be read from 
any privilege level. 

If the privilege checks fail (e.g. DPL is numerically less 
than the maximum of CPL and RPL) or an incorrect type 
of descriptor is referenced (e.g. gate descriptor or exe- 
cute only code segment) exception 1 3 occurs. If the seg- 
ment is not present, exception 11 is generated. 
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Instructions that load selectors into SS must refer to data 
segment descriptors for writable data segments. The 
descriptor privilege (DPL) and RPL must equal CPL. All 
other descriptor types or a privilege level violation will 
cause exception 13. A not present fault causes excep- 
tion 12. 

CONTROL TRANSFER 

Four types of control transfer can occur when a selector 
is loaded into CS by a control transfer operation (see 
Table 10). Each transfer type can only occur if the oper- 
ation which loaded the selector references the correct 
descriptor type. Any violation of these descriptor usage 
rules (e.g. JMP through acallgate or RET to aTask State 
S egment) will cause exception 13. 

1 he ability to reference a descriptor for control transfer 
ii; also subject to rules of privilege. A CALL or JUMP 
instruction may only reference a code segment descrip- 
tor with DPL equal to the task CPL or a conforming seg- 
ment with DPL of equal or greater privilege than CPL. 
The RPL of the selector used to reference the code de- 
scriptor must have as much privilege as CPL. 

RET and IRET instructions may only reference code 
segment descriptors with descriptor privilege equal to or 
less privileged than the task CPL. The selector loaded 
into CS is the return address from the stack. After the 
return, the selector RPL is the task's new CPL. If CPL 
changes, the old stack pointer is popped after the return 
address. 

When a JMP or CALL references a Task State Segment 
descriptor, the descriptor DPL must be the same or less 
privileged than the task's CPL. Reference to a valid Task 



State Segment descriptor causes a task switch (see Task 
Switch Operation). Reference to a Task State Segment 
descriptor at a more privileged level than the task's CPL 
generates exception 1 3. 

When an instruction or interrupt references a gate de- 
scriptor, the gate DPL must have the same or less privi- 
lege than the task CPL. If DPL is at a more privileged 
level than CPL, exception 13 occurs. If the destination 
selector contained in the gate references a code seg- 
ment descriptor, the code segment descriptor DPL must 
be the same or more privileged than the task CPL. If not, 
Exception 13 is issued. After the control transfer, the 
code segment descriptors DPL is the task's new CPL. If 
the destination selector in the gate references a task 
state segment, a task switch is automatically performed 
(see Task Switch Operation). 

The privilege rules on control transfer require: 
— JMP or CALL direct to a code segment (code seg- 
ment descriptor) can only be to a conforming segment 
with DPL of equal or greater privilege than CPL or a 
non-conforming segment at the same privilege level. 

— interrupts within the task or calls that may change 
privilege levels, can only transfer control through a 
gate at the same or a less privileged level than CPL to 
a code segment at the same or more privileged level 
than CPL. 

— return instructions that don't switch tasks can only re- 
turn control to a code segment at the same or less 
privileged level. 

—task switch can be performed by a call, jump or inter- 
rupt which references either a task gate or task state 
segment at the same or less privileged level. 



Table 10. Descriptor Types Used for Control Transfer. 



Control Transfer Types 


Operation Types 


Descriptor 
Referenced 


Descriptor 
Table 


Intersegment within the same privilege level 


JMP, CALL, RET, IRET* 


Code Segment 


GDT/LDT 


Intersegment to the same or higher privilege level Interrupt 
within task may change CPL. 


CALL 


Call Gate 


GDT/LDT 


Interrupt Instruction, 
Exception, External 
Interrupt 


Trap or 

Interrupt 

Gate 


IDT 


Intersegment to a lower privilege level (changes task CPL) 


RET, IRET* 


Code Segment 


GDT/LDT 


Task Switch 


CALL, JMP 


Task State 
Segment 


GDT 


CALL, JMP 


Task Gate 


GDT/LDT 


IRET** 

Interrupt Instruction, 
Exception, External 
Interrupt 


Task Gate 


IDT 



* NT (Nested Task bit of flag word) = 
*NT (Nested Task bit of flag word) = 1 
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PRIVILEGE LEVEL CHANGES 

Any control transfer that changes CPL within the task, 
causes a change of stacks as part of the operation. Initial 
values of SS:SP for privilege levels 0, 1 , and 2 are kept 
in the task state segment (refer to Task Switch Opera- 
tion). During a JMP or CALL control transfer, the new 
stack pointer is loaded into the SS and SP registers and 
the previous stack pointer is pushed onto the new stack. 

When returning to the original privilege level, its stack is 
restored as part of the RET or IRET instruction opera- 
tion. For subroutine calls that pass parameters on the 
stack and cross privilege levels, a fixed number of words, 
as specified in the gate, are copied from the previous 
stack to the current stack. The inter-segment RET in- 
struction with a stack adjustment value will correctly re- 
store the previous stack pointer upon return. 

Protection 

The 80286 includes mechanisms to protect critical in- 
structions that affect the CPU execution state (e.g. HLT) 
and code or data segments from improper usage. These 
mechanisms are grouped under the term "protection" 
and have three forms: 

Restricted usage of segments (e.g. no write allowed 
to read-only data segments). The only segments 
available for use are defined by descriptors in the Lo- 
cal Descriptor Table (LDT) and Global Descriptor Ta- 
ble (GDT). 

Restricted access to segments via the rules of privi- 
lege and descriptor usage. 

Privileged instructions or operations that may only be 
executed at certain privilege levels as determined by 
the CPL and I/O Privilege Level (IOPL). The IOPL is 
defined by bits 14 and 13 of the flag word. 

These checks are performed for all instructions and can 
be split into three categories: segment load checks (Ta- 
ble 11), operand reference checks (Table 12), and privi- 
leged instruction checks (Table 13). Any violation of the 
rules shown will result in an exception. A not-present 
exception related to the stack segment causes excep- 
tion^. 

The IRET and POPF instructions do not perform some 
of their defined functions if CPL is not of sufficient privi- 
lege (numerically small enough). No exceptions or other 
indication are given when these conditions occur. 

The IF bit is not changed if CPL > IOPL. 

The IOPL field of the flag word is not changed if CPL 

>0. 



Table 11 
Segment Register Load Checks 



Error Description 


Exception 
Number 


Descriptor table limit exceeded 


13 


Segment descriptor not-present 


11 or12 


Privilege rules violated 


13 


Invalid descriptor/segment type seg- 
ment register load: 
— Read only data segment load to 

SS 
— Special control descriptor load to 

DS, ES, SS 
— Execute only segment load to 

DS, ES, SS 
— Data segment load to CS 
— Read/Execute code segment 

load to SS 


13 



Table 12 Operand Reference Checks 



Error Description 


Exception 
Number 


Write into code segment 

Read from execute-only code 

segment 

Write to read-only data segment 

Segment limit exceeded' 


13 

13 

13 
. 12or13 



Note 1 : Carry out in offset calculations is ignored. 



Table 13. Privileged Instruction Checks 



Error Description 


Exception 
Number 


CPL + when executing the following 
instructions: 

LIDT, LLDT, LGDT, LTR, LMSW, 

CTS, HLT 


13 


CPL > IOPL when executing the fol- 
lowing instructions: 

INS, IN, OUTS, OUT, STI, CLI, 

LOCK 


13 



EXCEPTIONS 

The 80286 detects several types of exceptions and in- 
terrupts, in protected mode (see Table 14). Most are re- 
startable after the exceptional condition is removed. 
Interrupt handlers for most exceptions receive an error 
code, pushed on the stack after the return address, that 
identifies the selector involved (0 if none). The return 
address normally points to the failing instruction, includ- 
ing all leading prefixes. For a processor extension seg- 
ment overrun exception, the return address will not point 
at the ESC instruction that caused the exception; how- 
ever, the processor extension registers may contain the 
address of the failing instruction. 
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Table 14. Protected Mode Exceptions 



Interrupt 
Vector 


Function 


Return 

Address 

At Failing 

Instruction? 


Always 
Restart- 
able? 


Error 

Code 

on Stack? 


8 
9 
10 
11 
12 
13 


Double exception detected 

Processor extension segment overrun 

Invalid task state segment 

Segment not present 

Stack segment overrun or segment not present 

General protection 


Yes 
No 
Yes 
Yes 
Yes 
Yes 


No 

No 

Yes 

Yes 

Yesi 

No 


Yes 
No 
Yes 
Yes 
Yes 
Yes 



Note 1 : When a PUSHA or POPA instruction attempts to wrap around the stack segment, the machine state after the exception will not be 
restartable. This condition is identified by the value of the saved SP being either 0000(H), 0001 (H), FFFE(H), or FFFF(H). 



All these checks are performed for all instructions and 
can be split into three categories: segment load checks 
(Table 11), operand reference checks (Table 12), and 
privileged instruction checks (Table 13). Any violation of 
the rules shown will result in an exception. A not-present 
exception related to the stack segment causes excep- 
tion^. 

Special Operations 

TASK SWITCH OPERATION 

The 80286 provides a built-in task switch operation which 
saves the entire 80286 execution state (registers, ad- 
dress space, and a link to the previous task), loads a 
new execution state, and commences execution in the 
new task. Like gates, the task switch operation is in- 
voked by executing an inter-segment JMP or CALL in- 
struction which refers to a Task State Segment (TSS) or 
task gate descriptor in the GDT or LDT. An INT n instruc- 
tion, exception, or external interrupt may also invoke the 
task switch operation by selecting a task gate descriptor 
in the associated IDT descriptor entry. 

The TSS descriptor points at a segment (see Figure 20) 
containing the entire 80286 execution state while a task 
gate descriptor contains a TSS selector. The limit field 
must be > 002B(H). 

Each task must have a TSS associated with it. The cur- 
rent TSS is identified by a special register in the 80286 
called the Task Register (TR). This register contains a 
selector referring to the task state segment descriptor 
that defines the current TSS. A hidden .base and limit 
register associated with TR are loaded whenever TR is 
loaded with a new selector. 

The IRET instruction is used to return control to the task 
that called the current task or was interrupted. Bit 14 in 
the flag register is called the Nested Task (NT) bit. It 
controls the function of the IRET instruction. If NT = 0, 
the IRET instruction performs the regular current task 
return; when NT = 1 , IRET performs a task switch op- 
eration back to the previous task. 



When a CALL or INT instruction initiates a task switch, 
the old and new TSS will be marked busy and the back 
link field of the new TSS set to the old TSS selector. The 
NT bit of the new task is set by CALL or INT initiated task 
switches. An interrupt that does not cause a task switch 
will clear NT. NT may also be set or cleared by POPF or 
IRET instructions. 

The task state segment is marked busy by changing the 
descriptor type field from Type 1 to Type 3. Use of a 
selector that references a busy task state segment causes 
Exception 13. 

PROCESSOR EXTENSION CONTEXT SWITCHING 

The context of a processor extension (such as the 80287 
numerics processor) is not changed by the task switch 
operation. A processor extension context need only be 
changed when a different task attempts to use the pro- 
cessor extension (which still contains the context of a 
previous task). The 80286 detects the first use of a pro- 
cessor extension after a task switch by causing the pro- 
cessor extension not present exception (7). The interrupt 
handler may then decide whether a context change is 
necessary. 

Whenever the 80286 switches tasks, it sets the Task 
Switched (TS) bit of the MSW. TS indicates that a pro- 
cessor extension context may belong to a different task 
than the current one. The processor extension not pres- 
ent exception (7) will occur when attempting to execute 
an ESC or WAIT instruction if TS = 1 and a processor 
extension is present (MP = 1 in MSW). 

POINTER TESTING INSTRUCTIONS 

The iAPX 286 provides several instructions to speed 
pointer testing and consistency checks for maintain- 
ing system integrity (see Table 1 5). These instruc- 
tions use the memory management hardware to 
verify that a selector value refers to an appropriate 
segment without risking an exception. A condition 
flag (ZF) indicates whether use of the selector or 
segment will cause an exception. 
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TYPE 


DESCRIPTION 


1 


AN AVAILABLE TASK STATE 
SEGMENT. MAY BE USED AS 
THE DESTINATION OF A TASK 
SWITCH OPERATION. 


3 


A BUSY TASK STATE SEGMENT. 
CANNOT BE USED AS THE 
DESTINATION OF A TASK 
SWITCH. 



P 


DESCRIPTION 


1 


BASE AND LIMIT FIELDS ARE VALID 


O 


SEGMENT IS NOT PRESENT IN 
MEMORY, BASE AND LIMIT ARE NOT 
DEFINED 



CURRENT 
\ TASK 
STATE 



INITIAL 
\ STACKS 
FOR CPL 0,1,2 



Figure 20. Task State Segment and TSS Registers 
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Table 15. Pointer Test Instructions 



Instruction 


Operands 


Function 


ARPL 


Selector, 
Register 


Adjust Requested Privi- 
lege Level: adjusts the RPL 
of the selector to the nu- 
meric maximum of current 
selector RPL value and the 
RPL value in the register. 
Set zero flag if selector RPL 
was changed. 


VERR 


Selector 


VERify for Read: sets the 
zero flag if the segment re- 
ferred to by the selector can 
be read. 


VERW 


Selector 


VERify for Write: sets the 
zero flag if the segment re- 
ferred to by the selector can 
be written. 


LSL 


Register, 
Selector 


Load Segment Limit: reads 
the segment limit into the 
register if privilege rules and 
descriptor type allow. Set 
zero flag if successful. 


LAR 


Register, 
Selector 


Load Access Rights: reads 
the descriptor access rights 
byte into the register if priv- 
ilege rules allow. Set zero 
flag if successful. 



DOUBLE FAULT AND SHUTDOWN 

If two separate exceptions are detected during a single 
instruction execution, the 80286 performs the double 
fault exception (8). If an exception occurs during pro- 
cessing of the double fault exception, the 82086 will en- 
ter shutdown. During shutdown no further instructions 
or exceptions are processed. Either NMI (CPU remains 
in protected mode) or RESET (CPU exits protected mode) 
can force the 80286 out of shutdown. Shutdown is exter- 
nally signalled via a HALT bus operation with A^ HIGH. 

PROTECTED MODE INITIALIZATION 

The 80286 initially executes in real address mode 
after RESET. To allow initialization code to be placed 
at the top of physical memory, A 23 . 2 o will be HIGH 
when the 80286 performs memory references 
relative to the CS register until CS is changed. A 23 . 2 o 
will be zero for references to the DS, ES, or SS 
segments. Changing CS in real address mode will 
force A 23 . 20 LOW whenever CS is used again. The 
initial CS:IP value of F000:FFF0 provides 64K bytes 
of code space for initialization code without chang- 
ing CS. 

Protected mode operation requires several regis- 
ters to be initialized. The GDT and IDT base regis- 
ters must refer to a valid GDT and IDT. After 
executing the LMSW instruction to set PE, the 80286 
must immediately execute an intra-segment JMP 
instruction to clear the instruction queue of instruc- 
tions decoded in real address mode. 



To force the 80286 CPU registers to match the initial 
protected mode state assumed by software, execute 
a JMP instruction with a selector referring to the 
initial TSS used in the system. This will load the task 
register, local descriptor table register, segment 
registers and initial general register state. The TR 
should point at a valid TSS since any task switch 
operation involves saving the current task state. 



SYSTEM INTERFACE 

The 80286 system interface appears in two forms: a 
local bus and a system bus. The local bus consists of 
address, data, status, and control signals at the pins of 
the CPU. A system bus is any buffered version of the 
local bus. A system bus may also differ from the local 
bus in terms of coding of status and control lines and/or 
timing and loading of signals. The iAPX 286 family in- 
cludes several devices to generate standard system 
buses such as the IEEE 796 standard Multibus™. 

Bus Interface Signals and Timing 

The iAPX 286 microsystem local bus interfaces the 80286 
to local memory and I/O components. The interface has 
24 address lines, 16 data lines, and 8 status and control 
signals. 

The 80286 CPU, 82284 clock generator, 82288 bus 
controller, 82289 bus arbiter, 8286/7 transceivers, 
and 8282/3 latches provide a buffered and decoded 
system bus interface.The 82 284 ge nerates the 
system clock and synchronizes READY and RESET. 
The 82288 converts bus operation status encoded 
by the 80286 into command and bus control signals. 
The 82289 bus arbiter generates Multibus bus 
arbitration signals. These components can provide 
the timing and electrical power drive levels required 
for most system bus interfaces including the Multibus. 

Physical Memory and I/O Interface 

A maximum of 16 megabytes of physical memory can 
be addressed in protected mode. One megabyte can be 
addressed in real address mode. Memory is accessible 
as bytes or words. Words consist of any two consecutive 
bytes addressed with the least significant byte stored in 
the lowest address. 

Byte transfers occur on either half of the 16-bit local data 
bus. Even bytes are accessed over D 7 _ while odd bytes 
are transferred over D 15 _ 8 . Even-addressed words are 
transferred over D 15 _o in one bus cycle, while odd-ad- 
dressed words require two bus operations. The first 
transfers data on Di5_s, and the second transfers data 
on D7_o. Both byte data transfers occur automatically, 
transparent to software. 

Two bus signals, Aq and BHE, control transfers over the 
lower and upper halves of the data bus. Even address 
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byte transfers are indicated by Ao LOW and BHE HIGH. 
Odd add ress byte transfers are indicated by Ao HIGH 
and BHE LOW. Both Ao and BHE are LOW for even ad- 
dress word transfers. 

The I/O address space contains 64K addresses in both 
modes. The I/O space is accessible as either bytes or 
words, as is memory. Byte wide peripheral devices may 
be attached to either the upper or lower byte of the data 
bus. Byte-wide I/O devices attached to the upper data 
byte (D 15 _s) are accessed with odd I/O addresses. De- 
vices on the lower data byte are accessed with even I/O 
addresses. An interrupt controller such as Intel's 8259A 
must be connected to the lower data byte (D 7 _o) for proper 
return of the interrupt vector. 
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Figure 22. 80286 Bus States 



Bus Operation 

The 80286 uses a double frequency system clock (CLK 
input) to control bus timing. All signals on the local bus 
are measured relative to the system CLK input. The CPU 
divides the system clock by 2 to produce the internal 
processor clock, which determines bus state. Each pro- 
cessor clock is composed of two system clock cycles 
named phase 1 and phase 2. The 82284 clock generator 
output (PCLK) identifies the next phase of the processor 
clock. (See Figure 21 .) 
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Figure 21 . System and Processor 
Clock Relationships 

Six types of bus operations-are supported; memory read, 
memory write, I/O read, I/O write, interrupt acknowl- 
edge, and halt/shutdown. Data can be transferred at a 
maximum rate of one word per two processor clock cycles. 

The iAPX 286 bus has three basic states: idle (Tj), send 
status (T s ), and perform command (T c ). The 80286 CPU 
also has a fourth local bus state called hold (Th). T h in- 
dicates that the 80286 has surrendered control of the 
local bus to another bus master in response to a HOLD 
request. 

Each bus state is one processor clock long. Figure 22 
shows the four 80286 local bus states and allowed 
transitions. 



Bus States 

The idle (Tj) state indicates that no data transfers are 
in progress or requested. _Th e first active state (T s ) 
is signaled by status line S1 or SO going LOW and 
identifying phase 1 of the processor clock. During 
T s , the command encoding, the address, and data 
(for a write operation) are available on the 80286 
output pins. The 82288 bus controller decodes the 
status signals and generates Multibus compatible 
read/write command and local transceiver control 
signals. 

After T s , the perform command (T c ) state is entered. 
Memory or I/O devices respond to the bus operation 
during T c , either transferring read data to the CPU or 
accepting write data. T c states may be repeated as often 
as necessary to assure sufficient time for the memory or 
I/O device to respond. The READY signal determines 
whether T c is repeated. 

During hold (T h ), the 80286 will float all address, data, 
and status output pins enabling another bus master to 
use the local bus. The 80286 HOLD input signal is used 
to place the 80286 into the T h state. The 80286 HLDA 
output signal indicates that the CPU has entered Th. 

Pipelined Addressing 

The 80286 uses a local bus interface with pipelined tim- 
ing to allow as much time as possible for data access. 
Pipelined timing allows bus operations to be performed 
in two processor cycles, while allowing each individual 
bus operation to last for three processor cycles. 

The timing of the address outputs is pipelined such that 
the address of the next bus operation becomes available 
during the current bus operation. Or in other words, the 
first clock of the next bus operation is overlapped with 
the last clock of the current bus operation. Therefore, 
address decode and routing logic can operate in ad- 
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Figure 23. Basic Bus Cycle 



vance of the next bus operation. External address latches 
may hold the address stable for the entire bus operation, 
and provide additional AC and DC buffering. 

The 80286 does not maintain the address of the current 
bus operation during all T c states. Instead, the address 
for the next bus operation may be emitted during phase 
2 of any T c . The address remains valid during phase 1 
of the first T c to guarantee hold time, relative to ALE, for 
the address latch inputs. 

Bus Control Signals 

The 82288 bus controller provides control signals; ad- 
dress latch enable (ALE), Read/Write commands, data 
transmit/receive (DT/R), and data enable (DEN) that 
control the address latches, data transceivers, write en- 
able, and output enable for memory and I/O systems. 

The Address Latch Enable (ALE) output determines when 
the address may be latched. ALE provides at least one 
system CLK period of address hold time from the end of 
the previous bus operation until the address for the next 
bus operation appears at the latch outputs. This address 
hold time is required to support Multibus® and common 
memory systems. 

The data bus transceivers are controlled by 82288 out- 
puts Data Enable (DEN) and Data Transmit/Receive (DT/ 
R). DEN enables the data transceivers; while DT/R con- 
trols transceiver direction. DEN and DT/R are timed to 
prevent bus contention between the bus master, data 
bus transceivers, and system data bus tranceivers. 



Command Timing Controls 

Two system timing customization options, command ex- 
tension and command delay, are provided on the iAPX 
286 local bus. 

Command extension allows additional time for external 
devices to respond to a command and is analogous to 
inserting wait states on the 8086. External logic can con- 
trol the duration of any bus operation such that the op- 
eration is only as long as necessary. The READY input 
signal can extend any bus operation for as long as 
necessary. 

Command delay allows an increase of address or write 
data setup time to system bus command active for any 
bus operation by delaying when the system bus com- 
mand becomes active. Command delay is controlled by 
the 82288 CMDLY input. After T s , the bus controller 
samples CMDLY at each failing edge of CLK. If CMDLY 
is HIGH, the 82288 will not activate the command signal. 
When CMDLY is LOW, the 82288 will activate the com- 
mand signal. After the command becomes active, the 
CMDLY input is not sampled. 

When a command is delayed, the available response 
time from command active to return read data or accept 
write data is less. To customize system bus timing, an 
address decoder can determine which bus operations 
require delaying the command. The CMDLY input does 
not affect the timing of ALE, DEN, or DT/R. 
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Figure 24. CMDLY Controls and Leading Edge of the Command 



Figure 24 illustrates four uses of CMDLY. Example 1 
shows delaying the read command two system CLKs for 
cycle N-1 and no delay for cycle N, and example 2 shows 
delaying the read command one system CLK for cycle 
N-1 and one system CLK delay for cycle N. 

Bus Cycle Termination 

At maximum transfer rates, the iAPX 286 bus alternates 
between the status and command states. The bus status 
signals become inactive after T s so that they may cor- 
rectly signal the start of the next bus operation after the 
completion of the current cycle. No external indication of 
T c exists on the iAPX 286 local bus. The bus master and 
bus controller enter T c directly after T s and continue ex- 
ecuting T c cycles until terminated by READY. 



READY Operation 

The current bus master and 82288 bus controller termi- 
nate each bus operation simultaneously to achieve 
maximum bus bandwidth. Both are informed in advance 
by READY active which identifies the last T c cycle of the 



current bus operation. The bus master and bus control- 
ler must see the same sense of the READY signal, thereby 
requiring READY be synchronous to the system clock. 

Synchronous Ready 

The 82284 clock generator provides READY synchro- 
nization from both synchronous and asynchronous 
sources (see Figure 25). The synchronous ready input 
(SRDY) of the clock generator is sampled with the falling 
edge of CLK at the end of phase 1 of each T c . The state 
of SRDY is then broadcast to the bus master and bus 
controller via the READY output line. 

Asynchronous Ready 

Many systems have devices or subsystems that are 
asynchronous to the system clock. As a result, their ready 
outputs cannot be guaranteed to meet the 82284 SRDY 
setup and hold time requirements. The 82284 asynchro- 
nous ready input (A RDY) is designed to accept such 
signals. The ARDY input is sampled at the beginning of 
each T c cycle by 82284 synchronization logic. This pro- 
vides a system CLK cycle time to resolve its value before 
broadcasting it to the bus master and bus controller. 
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NOTES: 



1. S RDYEN is active low 

2. If SRDYE N is high, the state of SRDY will not effect READY 

3. ARDYEN is active low 



Figure 25. Synchronous and Asynchronous Ready 



ARDY or ARDYEN must be HIGH at the end of T s . 
ARDY cannot be used to terminate bus cycle with 
no wait states. 

Each read y in put of th e 82284 has an enable pin 
(SRDYEN and ARDYEN) to select whether the current 
bus operation will be terminated by the synchronous or 
asynchronous ready. Either of the ready inputs may ter- 
minate a bus operation. These enable inputs are active 
low and have the same timing as their respective ready 
inputs. Address decode logic usually selects whether 
th e curren t bus operation should be terminated by ARDY 
orSRDY. 



Data Bus Control 

Figures 26, 27, and 28 show how the DT/R, DEN, data 
bus, and address signals operate for different combina- 
tions of read, write, and idle bus operations. DT/R goes 
active (LOW) for a read operaton. DT/R remains HIGH 
before, during, and between write operations. 



The data bus is driven with write data during the second 
phase of T s . The delay in write data timing allows the 
read data drivers, from a previous read cycle, sufficient 
time to enter 3-state OFF before the 80286 CPU begins 
driving the local data bus for write operations. Write data 
will always remain valid for one system clock past the 
last T c to provide sufficient hold time for Multibus or other 
similar memory or I/O systems. During write-read or write- 
idle sequences the data bus enters 3-state OFF during 
the second phase of the processor cycle after the last 
T c . In a write-write sequence the data bus does not enter 
3-state OFF between T c and T s . 

Bus Usage 

The 80286 local bus may be used for several functions: 
instruction data transfers, data transfers by other bus 
masters, instruction fetching, processor extension data 
transfers, interrupt acknowledge, and halt/shutdown. This 
section describes local bus activities which have special 
signals or requirements. 
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Figure 26. Back to Back Read-Write Cycles 
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Figure 27. Back to Back Write-Read Cycles 



C-29 



Intel' 



iAPX 286/10 



APMM©i OIWO^GMTTiM 




Figure 28. Back to Back Write-Write Cycles 



HOLD and HLDA 

HOLD and HLDA allow another bus master to gain con- 
trol of the local bus by placing the 80286 bus into the Th 
state. The sequence of events required to pass control 
between the 80286 and another local bus master are 
shown in Figure 29. 

In this example, the 80286 is initially in the Th state as 
signaled by HLDA being active. Upon leaving Th, as sig- 
naled by HLDA going inactive, a write operation is started. 
During the write operation another local bus master re- 
quests the local bus from the 80286 as shown by the 
HOLD signal. After completing the write operation, the 
80286 performs one Tj bus cycle, to guarantee write data 
hold time, then enters Th as signaled by HLDA going 
active. 

The CMDLY signal and ARDY ready are used to start 
and sto p the write bus command, respectively. Note that 
SRD Ymustb e inactive or disabled bySRDYENto guar- 
antee ARDY will terminate the cycle. 

Instruction Fetching 

The 80286 Bus Unit (BU) will fetch instructions ahead of 
the current instruction being executed. This activity is 
called prefetching. It occurs when the local bus would 
otherwise be idle and obeys the following rules: 



A prefetch bus operation starts when at least two bytes 
of the 6-byte prefetch queue are empty. 
The prefetcher normally performs word prefetches in- 
dependent of the byte alignment of the code segment 
base in physical memory. 

The prefetcher will perform only a byte code fetch op- 
eration for control transfers to an instruction beginning 
on a numerically odd physical address. 
Prefetching stops whenever a control transfer or HLT 
instruction is decoded by the IU and placed into the 
instruction queue. 

In real address mode, the prefetcher may fetch up 
to 6 bytes beyond the last control transfer or HLT 
instruction in a code segment. 

In protected mode, the prefetcher will never cause a 
segment overrun exception. The prefetcher stops at 
the last physical memory word of the code segment. 
Exception 13 will occur if the program attempts to ex- 
ecute beyond the last full instruction in the code 
segment. 

If the last byte of a code segment appears on an even 
physical memory address, the prefetcher will read the 
next physical byte of memory (perform a word code 
fetch). The value of this byte is ignored and any at- 
tempt to execute it causes exception 13. 
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NOTES: 

1. Status lines are not driven by 80286, yet remain high due to pullup resistors in 82288 and 82289 during HOLD state. 

2. Address, M/IO and COD/INTA may start floating during any TC depending on when internal 80286 bus arbiter decides to release bus to 
external HOLD. The float starts in <t>2 of TC. 

3. BHE and LOCK may start floating after the end of any TC depending on when internal 80286 bus arbiter decides to release bus to external 
HOLD. The float starts in <£1 of TC. 

4. The minimum HOLD to HLDA time is shown. Maximum is one Th longer. 

5. The earliest HOLD time is shown. It will always allow a subsequent memory cycle if pending is shown. 

6. The minimum HOLD to HLDA time is shown. Maximum is a function of the instruction, type of bus cycle and other machine status (i.e., 
Interrupts, Waits, Lock, etc.) 

7. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state 
is ignored after ready is signaled via the asynchronous input. 



Figure 29. Multibus Write Terminated by Asynchronous Ready with Bus Hold 
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Processor Extension Transfers 

The processor extension interface uses I/O port ad- 
dresses 00F8(H), OOFA(H), and OOFC(H) which are part 
of the I/O port address range reserved by Intel. An ESC 
instruction with EM = and TS = will perform I/O bus 
operations to one or more of these I/O port addresses 
independent of the value of IOPL and CPL 

ESC instructions with memory references enable the 
CPU to accept PEREQ inputs for processor extension 
operand transfers. The CPU will determine the operand 
starting address and read/write status of the instruction. 
For each operand transfer, two or three bus operations 
are performed, one word transfer with I/O port address 
OOFA(H) and one or two bus operations with memory. 
Three bus operations are required for each word oper- 
and aligned on an odd byte address. 

Interrupt Acknowledge Sequence 

Figure 30 illustrates an interrupt acknowledge se- 
quence performed by the 80286 in response to an INTR 
input. An interrupt acknowledge sequence consists of 
two INTA bus operations. The first allows a master 8259A 
Programmable Interrupt Controller (PIC) to determine 
which if any of its slaves should return the interrupt vec- 
tor. An eight bit vector is read by the 80286 during the 
second INTA bus operation to select an interrupt han- 
dler routine from the interrupt table. 

The Master Cascade Enable (MCE) signal of the 82288 
is used to enable the cascade address drivers, during 
INTA bus operations (See Figure 30), onto the local ad- 
dress bus for distribution to slave interrupt controllersvia 
the system address bus. The 80286 emits the LOCK 
signal (active LOW) during T s of the first INTA bus oper- 
ation. A local bus "hold" request will not be honored until 
the end of the second INTA bus operation. 

Three idle processor clocks are provided by the 80286 
between INTA bus operations to allow for the minimum 
INTA to INTA time and CAS (cascade address) out delay 
of the 8259A. The second INTA bus operation must al- 
ways have at least one extra T c state added via logic 
controlling READY. A23-A0 are in 3-state OFF until after 
the first T c state of the second INTA bus operation. This 
prevents bus contention between the cascade address 
drivers and CPU address drivers. The extra T c state al- 
lows time for the 80286 to resume driving the address 
lines for subsequent bus operations. 



Local Bus Usage Priorities 

The 80286 local bus is shared among several internal 
units and external HOLD requests. In case of simulta- 
neous requests, their relative priorities are: 



(Highest) Any transfers which assert LOCK either ex- 
plicitly (via the LOCK instruction prefix) or 
implicitly (i.e. segment descriptor access, 
interrupt acknowledge sequence, or an 
XCHG with memory); 

The second of the two byte bus operations 
required for an odd aligned word operand. 

The second or third cycle of a processor 
extension data transfer. 

Local bus request via HOLD input. 
Processor extension data operand transfer 
via PEREQ input. 

Data transfer performed by EU as part of an 
instruction. 

(Lowest) An instruction prefetch request from BU. The 
EU will inhibit prefetching two processor 
clocks in advance of any data transfers to 
minimize waiting by EU for a prefetch to finish. 



Halt or Shutdown Cycles 

The 80286 externally indicates halt or shutdown condi- 
tions as a bus operation. These conditions occur due to 
a HLT instruction or multiple protection exceptions while 
attempting to execute one instruction. A halt or shut- 
down bus operation is signalled when ST, 5Q and COD/ 
TRTA are LOW and M/TO is HIGH. A, HIGH indicates 
halt, and A^ LOW indicates shutdo wn. The 82288 bus 
controller does not issue ALE, nor is READY required to 
terminate a halt or shutdown bus operation. 

During halt or shutdown, the 80286 may service PEREQ 
or HOLD requests. A processor extension segment 
overrun exception during shutdown will inhibit further 
service of PEREQ. Either NMI or RESET will force the 
80286 out of either halt or shutdown. An INTR, if inter- 
rupts are enabled, or a processor extension segment 
overrun exception will also force the 80286 out of halt. 
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NOTES: 

1. Data is ignored. 

2. First INTA cycle should have at least one wait state inserted to meet 8259A minimum INTA pulse width. 

3. Second INTA cycle must have at least one wait state inserted since the CPU will not drive A 23 - Ag, BHE, and LOCK until after the first 
TC state. 

The CPU imposed one/clock delay prevents bus cqntention between cascade address buffer being disabled by MCE I and address 

outputs. 

Without the wait state, the 80286 address will not be valid for a memory cycle started immediately after the second INTA cycle. The 

8259A also requires one wait state for minimum INTA pulse width. 

4. LOCK is active for the first INTA cycle to prevent the 82289 from releasing the bus between INTA cycles in a multi-master system. 

5. A 23 - Aq exits 3-state OFF during <£2 of the second T c in the INTA cycle. 



Figure 30. Interrupt Acknowledge Sequence 



C-33 



intel' 



iAPX 286/10 



A®mN]©I DKlF®I^DMfl^arD®KI ■ 




SYNC READY ■ 

ENABLE • 

ASYNC READY ■ 

ENABLE - 



SHOT RESE 
SBDYETJ 
A~RBY 
ARDYEN 
82284 
CLOCK 
GENERATOR 



. I 

. J 



-U.LLLL. 




M/IO 

LOCK 

CLK COD/INTaI 1 

RESUY 

ST A23-A0 

SO 



NMI BHE 

HOLD 
HLDA 
ERROR 

BUSY INTR 

PESCR 

PEREO CAP 

80286 

CPU 

Dis - Do 



7\ 



-*- MEMORY READ 

-*- MEMORY WRITE 

-*■ I/O READ 

-*- I/O WRITE 

-*- INTERRUPT ACKNOWLEDGE 



M I ►- ADVANCED MEMORY 

+4 DECODE I- -*- AND l/0 CHIP SELECTS 

r _ > J (OPTIONAL) J 



T- 



PROCESSOR 
EXTENSION 
(OPTIONAL) 



SO:::"-: 



> 




8282 
or 8283 
LATCH 



^> 



ADDRESS BUS 



tf 



£ 



[NTS 
WR 



>o- D 7 

8259A 
INTERRUPT 
CONTROLLER 



<=■ 



^> 



8287 
TRANS- 
CEIVER 



<^>: 



Figure 31 . Basic iAPX 286 System Configuration 



SYSTEM CONFIGURATIONS 

The versatile bus structure of the iAPX 286 microsys- 
tem, with a full complement of support chips, allows flex- 
ible configuration of a wide range of systems. The basic 
configuration, shown in Figure 31 , is similar to an iAPX 
86 maximum mode system. It includes the CPU plus an 
8259A interrupt controller, 82284 clock generator, and 
the 82288 Bus Controller. The iAPX 86 latches (8282 
and 8283) and transceivers (8286 and 8287) may be 
used in an iAPX 286 microsystem. 

As indicated by the dashed lines in Figure 31 , the ability 
to add processor extensions is an integral feature of iAPX 
286 microsystems. The processor extension interface 
allows external hardware to perform special functions 
and transfer data concurrent with CPU execution of other 
instructions. Full system integrity is maintained because 
the 80286 supervises all data transfers and instruction 
execution for the processor extension. 

The iAPX 286/20 numeric data processor which in- 
cludes the 80287 numeric processor extension (NPX) 



uses this interface. The iAPX 286/20 has all the instruc- 
tions and data types of an iAPX 86/20 or iAPX 88/20. 
The 80287 NPX can perform numeric calculations and 
data transfers concurrently with CPU program execu- 
tion. Numerics code and data have the same integrity as 
all other information protected by the iAPX 286 protec- 
tion mechanism. 

The 80286 can overlap chip select decoding and ad- 
dress propagation during the data transfer for the pre- 
vious bus operation. This information is latched into the 
8282/3's by ALE during the middle of a T s cycle. The 
latched chip select and address information remains 
stable during the bus operation while the next cycles 
address is being decoded and propagated into the sys- 
tem. Decode logic can be implemented with a high speed 
bipolar PROM. 

The optional decode logic shown in Figure 31 takes ad- 
vantage of the overlap between address and data of the 
80286 bus cycle to generate advanced memory and IO- 
select signals. This minimizes system performance 
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Figure 32. Multibus System Bus Interface 



degradation caused by address propogation and de- 
code delays. In addition to selecting memory and I/O, 
the advanced selects may be used with configurations 
supporting local and system buses to enable the appro- 
priate bus interface for each bus cycle. The COD/I NTA 
and M/JD signals are applied to the decode logic to dis- 
tinguish between interrupt, I/O, code and data bus cycles. 

By adding the 82289 bus arbiter chip the 80286 provides 
a Multibus system bus interface as shown in Figure 32. 
The ALE output of the 82288 for the Multibus bus is 



connected to its CMDLY input to delay the start of com- 
mands one system CLK as required to meet Multibus 
address and write data setup times. This arrangement 
will add at least one extra T c state to each bus operation 
which uses the Multibus. 

A second 82288 bus controller and additional latches 
and transceivers could be added to the local bus of Fig- 
ure 32. This configuration allows the 80286 to support 
an on-board bus for local memory and peripherals, and 
the Multibus for system bus interfacing. 
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Figure 33. iAPX 286 System Configuration with Dual-Ported Memory 



Figure 33 shows the addition of dual ported dynamic 
memory between the Multibus system bus and the iAPX 
286 local bus. The dual port interface is provided by the 
8207 Dual Port DRAM Controller. The 8207 runs syn- 
chronously with the CPU to maximize throughput for lo- 
cal memory references. It also arbitrates between 
requests from the local and system buses and performs 



functions such as refresh, initialization of RAM, and read/ 
modify/write cycles. The 8207 combined with the 8206 
Error Checking and Correction memory controller pro- 
vide for single bit error correction. The dual-ported 
memory can be combined with a standard Multibus sys- 
tem bus interface to maximize performance and protec- 
tion in multiprocessor system configurations. 
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PACKAGE 

The 80286 is packaged in a 68-pin, leadless JEDEC 
type A hermetic leadless chip carrier. Figure 34 illus- 
trates the package, and Figure 2 shows the pinout. 



.050 
(1.27) 



.800 
(20.32) 



.039 
(0.99) 



T 

1 



JUUUUUUUUUUUUUUUUUC 



innnnnnnnnnnnnnnnn^ 



.960 
(24.38) 



.960 
(24.38) 



- PIN NO 1 MARK 



.094 
' (2.39) 



.066 
' (1.68) 



.130 
(3.30) 



INCHES 
(MILLIMETERS) 



Figure 34. JEDEC Type A Package 



ABSOLUTE MAXIMUM RATINGS* 

Ambient Temperature Under Bias 0°Cto70°C 

Storage Temperature -65°Cto + 150°C 

Voltage on Any Pin with 

Respect to Ground -1.0 to +7V 

Power Dissipation 3.6 Watt 

D.C. CHARACTERISTICS (80286: T A = 0°C to 70°C, V C c = 5V 



* NOTICE: Stresses above those listed under "Absolute Max- 
imum Ratings" may cause permanent damage to the device. 
This is a stress rating only and functional operation of the de- 
vice at these or any other conditions above those indicated in 
the operational sections of this specification is not implied. 
Exposure to absolute maximum rating conditions for ex- 
tended periods may affect device reliability. 



10%) 



Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


V|L 


Input Low Voltage 


-0.5 


+ 0.8 


V 




V| H 


Input High Voltage 


2.0 


V C c + 0.5 


V 




Vol 


Output Low Voltage 




0.45 


V 


Iql = 3.0 mA 


VOH 


Output High Voltage 


2.4 




V 


I O h=-400hA 


ice 


Power Supply Current 




600 


mA 


T A = 25°C 


Ili 


Input Leakage Current 




±10 


>A 


0V^V| N «Vcc 


Ilo 


Output Leakage Current 




±10 


p,A 


0.45V =s V UT « V C C 


V C L 


Clock Input High Voltagp 


-0.5 


+ 0.6 


V 




V C H 


Clock Input High Voltage 


3.8 


V C c + 1-0 


V 




C|N 


Capacitance of Inputs 
(All input except CLK) 




10 


PF 


fc = 1MHz 


Co 


Capacitance of I/O or outputs 




20 


PF 


fc = 1MHz 


CCLK 


Capacitance of CLK Input 




12 


PF 


f c =1MHz 
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A.C. CHARACTERISTICS (T A = o°cto70°c, v C c = 5V ± 10%) 

80286 Timing Requirements 



Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


1 


System clock period 


62.5 


250 


ns 




2 


System clock low time 


15 


230 


ns 


at .6 Volts 


3 


System clock high time 


20 


235 


ns 


at 3.2 Volts 


4 


Asynchronous input setup time 


20 




ns 


See note 1 


5 


Asynchronous input hold time 


20 




ns 


See note 1 


6 


RESET setup time 


20 




ns 




7 


RESET hold time 







ns 




8 


Read data in setup time 


10 




ns 




9 


Read data in hold time 


5 




ns 




10 


READY setup time 


38.5 




ns 




11 


READY hold time 


25 




ns 




12 


STATUS/PEACK valid delay 





40 


ns 


C L = 100 pF max 
above self load 


13 


Address valid delay 





60 


ns 


14 


Write data valid delay 





50 


ns 


15 


Address/Status/Data float delay 





60 


ns 


16 


HLDA valid delay 





60 


ns 



82284 Timing Requirements 



Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


17 


SRDY/SRDYEN setup time 


15 




ns 




18 


SRDY/SRDYEN hold time 







ns 




19 


ARDY/ARDYEN setup time 







ns 


See note 1 


20 


ARDY/ARDYEN hold time 


16 




ns 


See note 1 . 


21 


PCLK delay 





40 


ns 


C L = 50 pF 
Iql = 5 ma 
Ioh = _1 ma 



NOTE 1 : These times are given for testing purposes to assure a predetermined action. 



82288 Timing Requirements 



Symbol 


Parameter 


Min. 


Max. 


Units 


Test Conditions 


22 


CMDLY setup time 


20 




ns 




23 


CMDLY hold time 







ns 




24 


Command delay 


3 


15 


ns 


Cl = 300 pF max 
Iql = 32 ma max 
Iqh = -5 ma max 


25 


ALE active delay 


3 


15 


ns 


C L = 80 pF max 
I l - 16 ma max 
l 0H = -1 ma max 


26 


ALE inactive delay 





20 


ns 


27 


DT/R read active delay 





20 


ns 


28 


DT/R read inactive delay 


10 


40 


ns 


29 


DEN read active delay 


10 


50 


ns 


30 


DEN read inactive delay 


3 


15 


ns 


31 


DEN write active delay 





30 


ns 


32 


DEN write inactive delay 


3 


30 


ns 
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WAVEFORMS 



MAJOR CYCLE TIMING 



BUS CYCLE TYPE 




® 



XZ ////////////////M 



VALID ADDRESS 



® 



///////////////////////////, 



D,s-Do 



\m\\\mm\\\^^ 



SRdV+SRdYEN ' 



ffiBY+ARoYEN 



\\ \\\\\\\\\\\\\\\\\\\\\\^ ^L 



j \ r 



® 



© 



VALID CONTROL 



< 




© 



© 



VALID READ DATA 



® 



® 



© 



f 



\\ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 



© 



© 



© 



/ — V 



V 



//////////////// ■I 



■©• 



VALID ADDRESS 



WK 



VALID CONTROL 



© . 



© 



© 



©I" 



VALID WRITE DATA 



©- 



© 



f 



© 



1 
®\~- 



© 



^ 



©I- 



WlW MIIItllllllt 



© 



®- 



© 



tMUMMMML 



® 



© 
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WAVEFORMS (Continued) 



80286 ASYNCHRONOUS INPUT SIGNAL TIMING 



BUS CYCLE TYPE 



PCLK — V 
(SEE NOTE 1.) \_ 



INTR.NMI 
HOLD.PER 
(SEE NOTE 2.) 



holw-o wmmc 



ERROR.BUSY U7)\f 
(SEE NOTE 2.) UU\. 



c? 



® 



f 



© 



® 



© 



^ / 



)miMzzm 



NOTES: 

1 . PCLK indicates which processor cycle phase will occur on the 
next CLK. PCLK may not indicate the correct phase until the first 
bus cycle is performed. 

2. These inputs are asynchronous. The setup and hold times shown 
assure recognition for testing purposes. 



80286 RESET INPUT TIMING AND 
SUBSEQUENT PROCESSOR CYCLE PHASE 




NOTE 1: When RESET meets the setup time shown, the next CLK 
will start or repeat <j>2 of a processor cycle. 



EXITING AND ENTERING HOLD 



BUS CYCLE TYPE 




-^^f-^ 



j ^_/ \_v \ / \ r 



NOTES: 

1. These signals may not be driven by the 80286 during the time shown. The worst case in terms of latest float time is shown. 

2. The data bus will be driven as shown if the last cycle before T, in the diagram was a write T c . 

3. The 80286 floats its status pins during T H . External pullup resistors (in 82288) keep these signals high. 

4. For H OL D reque st set up to HLDA, refer to Figure 29. 

5. BHE and LOCK are driven at this time but will not become valid until T s . 

6. The data bus will remain in 3-state OFF if a read cycle is performed. 
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WAVEFORMS (Continued) 



80286 PEREQ/PEACK TIMING FOR ONE TRANSFER ONLY 



BUS CYCLE TYPE 




A23 - Ao 

M/lO 

COD/iNTS 



ZXDC 



I/O REAO IF PROC. EXT. TO MEMORY 
MEMORY REAO IF MEMORY TO PROC. EXT. 



MEMORY WRITE IF PROC. EXT. TO MEMORY 
I/O WRITE IF MEMORY TO PROC. EXT. 



\ 



® 



\ 



H® 

(SEE NOTE 1.) / 



-(SEE NOTE 2.)- 



miiif 



MEMORY ADDRESS IF PROC. EXT. TO MEMORY TRANSFER 

I/O PORT ADDRESS OOFA(H) IF MEMORY TO PROC. EXT. TRANSFER 



)OC 



I/O PORT ADDRESS OOFA(H) IF PROC. EXT. TO MEMORY TRANSFER 
MEMORY ADDRESS IF MEMORY TO PROC. EXT. TRANSFER 



0® 



, W/////////////////////////////////////////////MM 



NOTES: 



1 . PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence. The first bus operation 
will be either a memory read at operand address or I/O read at port address OOFA(H). 

2. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) is: 3X(T)- (jj) max 
-(j) min .Theactual,configurationdependent,maximumtimeis:3X(l)-(Tl) max -(3) min + AX2X(T). 

A is the number of extra T c states added to either the first or second bus operation of the processor extension data operand transfer 
sequence. 



INITIAL 80286 PIN STATE DURING RESET 

BUS CYCLE TYPE 

*1 
CLK "* ' ' 




A 23 - A„ 



y 



-*©*- 



I 



■*%*■ 



I 



■*-©-»■ 



k 



® 



mmmm)mmmmmm))))m))))mm - — *—- — 



-55- 



^ 



-55- 



NOTES: 

1 . Setup time for RESET f may be violated with the consideration that </>1 of the processor clock may begin one system CLK period later. 

2. Setup and hold times for RESET I must be met for proper operation. 

3. The data bus is only guaranteed to be in 3-state OFF at the time shown. 
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BYTE 1 BYTE 2 

7 « S 4 3 2 1 078543210 



iiie: 




I 




OPCODE d 


w mod 


rag 


r/m 


i 


i i i 


ii 


i 


1 L 























REGISTER OPERAND/REGISTERS TO USE IN OFFSET CALCULATION 

REGISTER OPERAND/EXTENSION OF OPCODE 

REGISTER MODE/MEMORY MODE WITH DISPLACEMENT LENGTH 

WORD/BYTE OPERATION 

DIRECTION IS TO REGISTER/DIRECTION IS FROM REGISTER 

OPERATION (INSTRUCTION) CODE 



A. SHORT OPCODE FORMAT EXAMPLE 



BYTE1 BYTE 2 BYTE 3 

765432107854321078543210 



1 1 1 1 1 1 1 III 1 1 1 1 1 


I 


| | 


M 


LONG OPCODE 
_j 


mod 


r*g 


r/m 



B. LONG OPCODE FORMAT EXAMPLE 



Figure 35. 80286 Instruction Format Examples 



80286 INSTRUCTION SET SUMMARY 
Instruction Timing Notes 

The instruction clock counts listed below establish the 
maximum execution rate of the 80286. With no delays in 
bus cycles, the actual clock count of an 80286 program 
will average 5% more than the calculated clock count, 
due to instruction sequences which execute faster than 
they can be fetched from memory. 

To calculate elapsed times for instruction sequences, 
multiply the sum of all instruction clock counts, as listed 
in the table below, by the processor clock period. An 8 
MHz processor clock has a clock period of 1 25 nanosec- 
onds and requires an 80286 system clock (CLK input) of 
16 MHz. 

Instruction Clock Count Assumptions 

1 . The instruction has been prefetched, decoded, and 
is ready for execution. Control transfer instruction clock 
counts include all time required to fetch, decode, and 
prepare the next instruction for execution. 

2. Bus cycles do not require wait states. 

3. There are no processor extension data transfer or 
local bus HOLD requests. 

4. No exceptions occur during instruction execution. 



Instruction Set Summary Notes 

Addressing displacements selected by the MOD field 
are not shown. If necessary they appear after the in- 
struction fields shown. 

Above/below refers to unsigned value 

Greater refers to positive signed value 

Less refers to less positive (more negative) signed values 

ifd = 1 then to register; if d = then from register 

if w = 1 then word instruction; if w = then byte 

instruction 
if s =0 then 16-bit immediate data form the operand 
if s = 1 then an immediate data byte is sign-extended 

to form the 16-bit operand 

x don't care 

z used for string primitives for comparison with ZF 
FLAG 

If two clock counts are given, the smaller refers to a reg- 
ister operand and the larger refers to a memory operand 
* = add one clock if offset calculation requires sum- 
ming 3 elements 

n = number of times repeated 

m = number of bytes of code in next instruction 

Level (L) — Lexical nesting level of the procedure 
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The following comments describe possible exceptions, 
side effects, and allowed usage for instructions in both 
operating modes of the 80286. 

REAL ADDRESS MODE ONLY 

1 . This is a protected mode instruction. Attempted ex- 
ecution in real address mode will result in an unde- 
fined opcode exception (6). 

2. A segment overrun exception (13) will occur if a word 
operand reference at offset FFFF(H) is attempted. 

3. This instruction may be executed in real address 
mode to initialize the CPU for protected mode. 

4. The IOPL and NT fields will remain 0. 

5. Processor extension segment overrun interrupt (9) 
will occur if the operand exceeds the segment limit. 

EITHER MODE 

6. An exception may occur, depending on the value of 
the operand. 

7. LOCK is automatically asserted regardless of the 
presence or absence of the LOCK instruction prefix. 



8. LOCK does not remain active between all operand 
transfers. 

PROTECTED VIRTUAL ADDRESS MODE ONLY 

9. A general protection exception (13) will occur if the 
memory operand can not be used due to either a 
segment limit or access rights violation. If a stack 
segment limit is violated, a stack segment overrun 
exception (12) occurs. 

10. For segment load operations, the CPL, RPL, and 
DPL must agree with privilege rules to avoid an ex- 
ception. The segment must be present to avoid a 



not-present exception (1 1 ). If the SS register is the 
destination, and a segment not-present violation 
occurs, a stack exception (12) occurs. 

1 1 . All segment descriptor accesses in the GDT or LDT 
made by this instruction will automatically assert 
LOCK to maintain descriptor integrity in multipro- 
cessor systems. 

1 2. JMP, CALL, INT, RET, IRET instructions referring to 
another code segment will cause a general protec- 
tion exception (13) if any privilege rule is violated. 

13. A general protection exception (13) occurs if CPL 
±0. 

14. A general protection exception (13) occurs if 
CPL > IOPL 

15. The IF field of the flag word is not updated if 
CPL > IOPL. The IOPL field is updated only if 
CPL = 0. 

1 6. Any violation of privilege rules as applied to the se- 
lector operand do not cause a protection exception; 
rather, the instruction does not return a result and 
the zero flag is cleared. 

1 7. If the starting address of the memory operand vio- 
lates a segment limit, or an invalid access is at- 
tempted, a general protection exception (13) will 
occur before the ESC instruction is executed. A stack 
segment overrun exception (12) will occur if the stack 
limit is violated by the operand's starting address. If 
a segment limit is violated during an attempted data 
transfer then a processor extension segment over- 
run exception (9) occurs. 

18. The destination of an INT, JMP, CALL, RET or 
IRET instruction must be in the defined limit of 
a code segment or a general protection excep- 
tion (13) will occur. 
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80286 INSTRUCTION SET SUMMARY 



FUNCTION 


FORMAT 






CLOCK COUNT 


COMMENTS 


Real 

Address 

Mode 


Protected 
Virtual 
Address 
Mode 


Real 
Address 
Mode 


Protected 

Virtual 

Address 

Mode 


DATA TRANSFER 
MOV = Move: 

Registerto Register/Memory 

Register/memory to register 
Immediate to register/memory 
Immediate to register 
Memory to accumulator 
Accumulator to memory 
Register/memory to segment register 
Segment registerto register/memory 

PUSH = Push: 

Memory 

Register 
Segment register 








2,3* 
2,5* 
2,3* 

2 

5 

3 
2,5* 
2,3* 

5* 
3 
3 
3 


2,3* 
2,5* 
2,3* 

2 

5 

3 
17,19* 
2,3* 

5* 
3 
3 
3 


2 
2 
2 

2 
2 
2 
2 

2 
2 

2 

» >2 ■ 


9 
9 
9 

9 

9 

9,10,11 

9 

9 

9 

9 

* 9 


|1 1 w | 


mod reg r/m | 


|1 1 1 w | 


mod reg r/m | 


|1 1 1 1 w | 


modOOO r/m | 


data | data if w — 1 | 


|1 1 1 w reg | 


data | 


dataifw=1 | 


|1 01 00 w | 


addr-low 


addr-high 


|1 1 1 w | 


addr-low 


addr-high | 


|1 1 1 1 | 


mod reg r/m | 




|1 00 1 1 | 


mod reg r/m | 






|1 1 1 1 1 1 1 1 | 


mod 110 r/m | 


|0 1 1 reg | 




|0 reg 1 1 | 


Immediate 


(0 110 10s J 


data j 


data if s = | 






■ F «,,^,,^ : ^^^ 


"*.ir ' 

5* 
5 
5 


17 

5* 
5 
20 


2 
2 
2 


9 

9 

9,10,11 


PUSHA = Push All 

POP = Pop: 

Memory. 

Register 
Segment register 

ram = Pop ah 


|o 1 1 0| 








|1 1 1 1 1 | 


modOOO r/m | 


|0 1 1 1 reg | 


(reg* 01) 


|0 reg 1 1 1 | 




(0 110000 1] 




(mod * 11) 
(mod * 11) 


19 

3,5* 
3 

5 
5 

3 
3 
5 
3* 
7* 
7* 
2 
2 
3 
5 


19 

3,5* 
3 

5 
5 

3 

3 

5 
3* 
21' 
21* 

2 

2 

3 

5 


2,7 

2 
2 

2 

2,4 


9 

7,9 

14 
14 

14 
14 
9 

9,10,11 
9,10,11 

9 
9,15 


XCHG = Exchange: 

Register/memory with register 

Register with accumulator 

IN = Input from: 

Fixed port 

Variable port 

OUT = Output to: 

Fixed port 
Variable port 

XLAT = Translate byte to AL 
LEA = Load EA to register 
LDS = Load pointer to DS 
LES = Load pointer to ES 
LAHF = Load AH with flags 
SAHF = Store AH into flags 
PUSHF= Push flags 
POPF = Pop flags 






|1 00 1 1 w| 


mod reg r/m | 


|1 1 reg | 






|1 1 1 1 w| 


port | 


|1 110 1 1 w | 






|1 1 1 1 1 w | 


port | 


|1 1 1 1 1 1 w| 




|1 10 10 11 1 | 


|1 00 1 1 1 | 


mod reg r/m | 


|1 10 10 1| 


mod reg r/m | 


|1 10 10 0| 


mod reg r/m | 


|1 00 1 1 1 1 1 | 




|1 001111 | 


|1 0011100| 


|1 00 1 1 1 1 | 





Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 


FORMAT 






CLOCK COUNT 


COMMENTS 


Real 

Address 

Mode 


Protected 

Virtual 

Address 

Mode 


Real 

Address 

Mode 


Protected 

Virtual 

Address 

Mode 


ARITHMETIC 
ADD = Add: 

Reg/memory with register to either 
Immediate to register/memory 
Immediate to accumulator 

ADC = Add with carry: 

Reg/memory with register to either 
Immediate to register/memory 
Immediate to accumulator 

INC = Increment: 

Register/memory 
Register 

SUB = Subtract: 

Reg/memory and register to either 
Immediate from register/memory 
Immediate from accumulator 

SBB = Subtract with borrow: 

Reg/memory and register to either 

Immediate from register/memory 
Immediate from accumulator 

DEC = Decrement: 

Register/memory 

Register 

CMP = Compare: 

Register/memory with register 

Register with register/memory 
Immediate with register/memory 
Immediate with accumulator 
NEG= Change sign 
AAA = ASCII adjust for add 
DAA = Decimal adjust for add 
AAS = ASCII adjust for subtract 
DAS = Decimal adjust for subtract 

MUL= Multiply (unsigned): 

Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 

IMUL = Integer multiply (signed): 

Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 








2,7* 

3,7* 

3 

2,7* 

3,7* 

3 

2,7* 
2 

2,7* 

3,7* 

3 

2,7* 

3,7* 

3 

2,7* 
2 

2,6* 
2,7* 
3,6* 

3 

2 

3 

3 

3 

3 

13 
21 
16* 
24* 

13 
21 

16* 
24* 

21.24* 

14 

22 
17* 
25* 


2,7* 

3.7* 

3 

2,7* 

3,7* 

3 

2,7* 
2 

2,7* 

3,7* 

3 

2,7* 

3,7* 

3 

2,7' 
2 

2,6* 
2,7* 
3,6" 

3 

7* 

3 

3 

3 

3 

13 
21 
16* 
24* 

13 

21 
16' 
24* 

21.24* 

14 

22 
17* 
25* 


2 
2 

2 
2 

2 

2 
2 

2 
2 

2 

2 
2 
2 

2 

2 
2 

2 
2 

2 

6 

6 

2,6 
2,6 


9 
9 

9 
9 

9 

9 
9 

9 
9 

9 

9 
9 
9 

7 

9 
9 

9 
9 

9 

6 
6 

6,9 
6,9 


|0 00 d w 


mod reg r/m | 


|1 00 s w 


mod 000 r/m | 


data | dataifsw = 01 | 


|0 00 1 w 


data | 


data it w = 1 | 








|0 00 1 d w 


mod reg r/m | 


|1 00 s w 


mod010 r/m | 


data | data il s w = 01 | 


|0 00 1 1 w 


data | 


data if w = 1 | 








|1 1 1 1 1 1 1 w 


modOOO r/m | 


|0 1 reg 






|0 1 1 d w 


mod reg r/m | 


|1 00 00 s w 


modi 01 r/m | 


data | data if s w = 1 | 


|0 1 1 1 w 


data | 


data if w = 1 | 








|0 00 1 1 d w 


mod reg r/m | 


|1 00 00 Os w 


mod 1 1 r/m | 


data | data if s w = 1 | 


|0 00 1 1 1 W 


data | 


data if w = 1 








|1 1 1 1 1 1 1 w 


mod 001 r/m | 


|01001 reg 






|0 1 1 1 01 w 


mod reg r/m | 


|0 1 1 1 00 w 


mod reg r/m | 


|1 000 Os w 


mod 1 1 1 r/m | 


data f data if s w = 1 | 


|0 1 1 1 1 w 


data | 


data if w = 1 | 


|1 1 1 1 1 1 w 


mod 1 1 r/m | 




(0011011 1 




|0010011 1 


|0 1 1 1 1 1 1 


|0 1 1 1 1 1 




|1 1 1 1 1 1 w 


mod 100 r/m | 


|1 1 1 1 1 1 w 


modi 01 r/m | 


IMUL = Integer immediate multiply 
(signed) 

DIV = Divide (unsigned): 

Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 


|0 110 1 Os 1 


mod reg r/m | 


data | dataifs-0 1 


— — • 


- ~ 




|1 1 1 1 1 1 w 


mod 1 1 r/m | 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION FORMAT 


CLOCK COUNT 


COMMENTS 


Real 
Address 
Mode 


Protected 

Virtual 

Address 

Mode 


Real 

Address 

Mode 


Protected 

Virtual 

Address 

Mode 


ARITHMETIC (Continued): 

IDIV = Integer divide (signed): j 

Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 

AAM = ASCII adjust for multiply 

AAD = ASCII adjust for divide 

CBW = Convert byte to word 

CWD = Convert word to double word 

LOGIC 

Shift Rotate Instructions: 

Register/Memory by 1 
Register/Memory by CL 
Register/Memory by Count 








17 
25 
20* 
28* 
16 
14 

2 

2 

2,7* 
5»n,8 + n* 

5+n.8+n" 

2,7* 

3,7* 

3 

2,6* 

3,6* 

3 

2,7* 

3,7* 

3 

2,7* 
3,7* 

3 
2,7* 

5 
8 
7 
5 
3 
5 
5 


17 

25 
20* 
28* 

16 

14 

2 

2 

2,7* 
5+n.8+n* 
5+n,8+n* 

2,7* 

3,7* 

3 

2,6* 

3,6* 

3 

2,7* 

3,7' 

3 

2,7* 
3,7* 

3 
2,7* 

5 
8 
7 
5 
3 
"' 5" 
5 


6 

6 

2,6 
2,6 

2 
2 
2 

2 
2 

2 
2 

2 
2 

2 
2 

2 

2 

2 

2 

2 

2 
'" 2 " 
. 2 


6 

6 

6,9 
6,9 

9 

9 

....... g ....... 

9 
9 

9 
9 

9 
9 

9 
9 

9 

9 

9 

9 

9 

9 
9,14 
9,14 


1 1 1 1 1 1 w 


mod 111 r/m | 






1 10 10 10 


10 10| 


1 10 10-101 


10 10| 


10 110 


10011001 




1 1 1 w 


mod TTT r/m | 


1 1 1 1 w 


mod TTT r/m | 


1 1 00 w 


mod TTT r/m | 


count ) 


AND = And: 

Reg/memory and register to either 
Immediate to register/memory 
Immediate to accumulator 

TEST= And function to flags, no result: 

Register/memory and register 

Immediate data and register/memory 
Immediate data and accumulator 

OR = Or: 

Reg/memory and register to either 
Immediate to register/memory 
Immediate to accumulator 

XOR = Exclusive or: 

Reg/memory and register to either 
Immediate to register/memory 
Immediate to accumulator 
NOT = Invert register/memory 

STRING MANIPULATION: 
MOVS = Move byte/word 
CMPS = Compare byte/word 
SCAS = Scan byte/word 
LODS = Load byte/wd to AL/AX 
STOS = Stor byte/wd from AUA 




TTT Instructio 

ROL 
1 ROR 
10 RCL 

11 RCR 

1 SHL/SA 
10 1 SHR 
111 SAR 


ii 

L 


1 d w 


mod reg r/m | 


1 w 


mod 100 r/m | 


data | data if w = 1 


1 1 w 


data | 


data if w = 1 | 








1 1 w 


mod reg r/m | 


1 1 1 1 1 1 w 


modOOO r/m | 


data | data if w = 1 | 


1 1 1 w 


data | 


data if w = 1 | 








1 d w 


mod reg r/m | 


1 w 


mod001 r/m | 


data | data if w — 1 | 


1 1 w 


data | 


data if w = 1 | 








1 1 d w 


mod reg r/m | 


1 w 


mod 1 1 r/m | 


data | data if w = 1 | 


1 1 1 w 


data | 


data if w = 1 ) 


1 1 1 1 1 1 w 


mod010 r/m | 








1 1 1 w 


1 1 1 1 w 


1-0 1 1 1 1 w 


1 1 1 1 w 


1 1 1 1 w 


INS = Input byte/wd from OX port 
OUTS = Output byte/wd to DX port 


1 1 1 1 w 




1 1 1 1 1 W 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION FORMAT 


CLOCK COUNT 


COMMENTS 


Real 
Address 
Mode 


Protected 

Virtual 

Address 

Mode 


Real 

Address 

Mode 


Protected 

Virtual 

Address 

Mode 


STRING MANIPULATION (Continued): 

Repeated by count in CX 


5 + 4n 
5+9n 
5 + 8n 
5 + 4n 
4+3n 
5+4n 
_5+4n 

7+m 

7+m,11+m" 

13 + m 

16+m 

7+m 
7+m 

7+m,11+m* 

11+m 

15+m' 

11+m 
11+m 
15 + m 
15 + m 


5 + 4n 
5 + 9n 
5 + 8n 
5 + 4n 

4 + 3n 

5 + 4n 
5+4n 

7+m 

7+m,11+m' 

26 + m 

41 + m 
82+m 
86+4x+m 
177 +m 
182 +m 

29+ m" 

44+m' 
83+m' 
90+4x+m' 
180+m' 
185 +m" 

7+jji 
7+m 

7+m,11+m" 

23+m 

38+m 
175+m 

180+m 

26+m" 

41 +m" 
178 +m* 
183+m' 

11+m 
11+m 
25 + m 

55 + m 


2 

2,8 
2,8 
2,8 
2,8 

2 

2 

2 
2,8 

2 
2 

2 

2 

2 
2 
2 
2 


9 

8,9 
8,9 
8,9 
8,9 
9,14 
9,14 

18 

8,9,18 

11,12,18 

8,11,12,18 
8,11,12,18 
8,11,12,18 
8,11,12,18 
8,11,12,18 

8,9,11,12,18 

8,9,11,12,18 
8,9,11,12,18 
8,9,11,12,18 
8,9,11,12,18 
8,9,11,12,18 

18 
18 
9,18 

11,12,18 

8,11,12,18 
8,11,12,18 
8,11,12,18 

8,9,11,12,18 

8,9,11,12,18 
8,9,11,12,18 
8,9,11,12,18 

8,9,18 

8,9,18 
8,9,11,12,18 
8,9,11,12,18 

9,11,12,18 


MOVS = Move string |1 1110 1 


1 1 1 w| 


CMPS = Compare string |l 1110 1 z 


1 1 1 1 w| 


SCAS = Scan string |l 1110 1 z 


1 1 1 1 1 w| 


L0DS = Load string |1 1 1 1 1 


1 1 1 1 w| 


STOS = Store string |1 1110 1 


1 1 1 1 w| 


INS - input string |1 1 1 1 1 


01 1 1 1 0w| 


OUTS -Output string |i 1110 1 


0.1-1 1 1 1 w| 


CONTROL TRANSFER 
CALL = Call: 


Direct within segment [l_1 10 10 


disp-low | disp-high 


Register/memory |l 111111 1 


mod 1 r/m | 


indirect within segment 


Direct intersegment 1 1 1 10 1 


segment offset 


Protected Mode Only (Direct intersegment): 

Via call gate to same privilege level 

Via call gate to different privilege level, no parameters 

Via call gate to different privilege level, x parameters 

ViaTSS 

Via task gate 


segment selector 




Indirect intersegment |1 111111 1 


mod011 r/m | (mod* 11) 


Protected Mode Only (Indirect intersegment): 

Via call gate to same privilege level 

Via call gate to different privilege level, no parameters 

Via call gate to different privilege level, x parameters 

ViaTSS 

Via task gate 

JMP = Unconditional jump: 


Short/long 1 1 110 10 1 1 


disp-low | 


Direct within segment (l 1 1 1 00 1 


disp-low | disp-high 


Register/memory indirect within segmental 111111 1 


mod 100 r/m | 




Direct intersegment J1 110 10 1 


segment offset 


Protected Mode Only (Direct intersegment): 

Via call gate to same privilege level 

ViaTSS 

Via task gate 


segment selector 




Indirect interseament |1 111111 1 


modi 01 r/m | (mod * 11) 


Protected Mode Only (Indirect intersegment): 

Via call gate to same privilege level 

ViaTSS 

Via task gate 

RET = Return from CALL: 




Within segment |1 10 1 1 


Within seg adding immed to SP |l 10 1 


data-low | data-high 


Intersegment |l 10 10 1 1 | 


Intersegment adding immediate to SP [1 10 10 1 


data-low | data-high 


Protected Mode Only (RET): 

To different privilege level 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 



C-47 



iny 



iAPX 286/10 



APMNKgi 0[^©[^[jMT0®M 



80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 


FORMAT 




CLOCK COUNT 


COMMENTS 


Real 
Address 
Mode 


Protected 

Virtual 

Address 

Mode 


Real 

Address 

Mode 


Protected 

Virtual 

Address 

Mode 


CONTROL TRANSFER (Continued): 
JE/JZ = Jump on equal/zero 

JL/JNGE = Jump on less/not greater or equal 
JLEAING = Jump on less or equal/not greater 
JB/JNAE = Jump on below/not above or equal 
JBE/JNA = Jump on below or equal/not above 
JP/JPE = Jump on parity/parity even 
JO = Jump on overflow 
JS = Jump on sign 

JNE/JNZ = Jump on not equal/not zero 
JNL/JGE = Jump on not less/greater or equal 
JNLE/JG = Jump on not less or equal/greater 
JNB/JAE = Jump on not below/above or equal 
JNBE/JA = Jump on not below or equal/above 
JNP/JPO = Jump on not par/par odd 
JNO = Jumponnotoverflow 
JNS = Jump on not sign 
LOOP = Loop CX times 
LOOPZ/L0OPE = Loop while zero/equal 
L00PNZ/L00PNE = Loop while not zero/equal 
JCXZ= Jump on CX zero 

ENTER = Enter Procedure 

L = 

L = 1 

L>1 

LEAVE = Leave Procedure 






7+-mor3 
7+-mor3 
7+mor3 
7+mor3 
7+-mor3 
7+-mor3 
7+-mor3 
7+mor3 
7+mor3 
7+-mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+-mor3 
7+-mor3 
8+mor4 
8+mor4 
8+-mor4 
8+mor4 

11 

15 

16+4(1-1) 

5 

23 + m 

23+-m 

24+mor3 
(3 if no 
interrupt) 

17+m 
13* 


7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+-mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+mor3 
7+-mor3 
8+-mor4 
8 + mor4 
8 + mor4 
8 + mor4 

11 
15 

16+4(1-1) 
5 

{3 if no 
interrupt) 

40 + m 
78 + m 

167+ m 

31 +m 

55 + m 
169+m 

13* 

(Use INT eta* 

counts 

acsstionS) 


2.8 
2,8 

2,8': ; 

2.8 

2,7,8 
2,7,8 
2,6,8 

2,4 

" : '2,6" 


18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 
18 

8,9 
8,9 
8,9 
8,9 

7,8,11,12,18 
7,8,11,12,18 
7,8,11,12,18 

8,9,11,12,15,18 

8,9,11,12,15,18 
8,9,11,12,18 


|0 1 1 1 1 | 


disp 1 


|0 1 1 1 1 1 | 


disp 


|0 1 1 1 1 1 1 | 


disp | 


|0111001 | 


disp | 


(0 111011 0| 


disp | 


J0111101 | 


disp | 


|0 1 1 1 | 


disp | 


|0 1 1 1 1 00 | 


disp | 


|0 1 1 1 1 1 | 


disp 1 


|0 1 1 1 1 1 1 | 


disp | 


|0 1 1 1 1 1 1 1 | 


disp | 


|0111001 1 | 


disp | 


|0111011 1 | 


disp 


1 11 1 10 1 1 | 


disp | 


|0 1 1 1 00 1 | 


disp | 


|0 1 1 1 1 1 | 


disp | 


|1 1 1 1 | 


disp 1 


|1 110 1| 


disp 1 


|1 110 0| 


disp 


|1 110 1 1 | 


disp I 






|1 10Q1000| 


data-low | data-high | L 






|1 10 1001| 


INT= Interrupt: 

Type specified 

Type 3 

INTO = Interrupt on overflow 

Protected Mode Only: 

Via interrupt or trap gate to same priv 
Viainterrupt or trap gate to fit differen 
Via Task Gate 

IRET = Interrupt return 

Protected Mode Only: 

To different privilege level 
To differenttask (NT= 1) 




|1 10 110 1| 


type | 


|1 10 110 0| 




|1 1 1 1 1 | 

ege level 
t privilege level 


| 1 10 111 1 | 




BOUND = Detect value out of range 


| 11 1 o 1 


mod reg r/m J 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 



FUNCTION 


FORMAT 






CLOCK COUNT 


COMMENTS 


Real 

Address 

Mode 


Protected 
Virtual 
Address 
Mode 


Real 

Address 

Mode 


Protected 
Virtual 
Address 
Mode 


PROCESSOR CONTROL 

CLC = Clear carry 

CMC = Complement carry 

STC = Set carry 

CLD = Clear direction 

STD = Set direction 

CL1 = Clear interrupt 

ST1 = Set interrupt 

HLT=Halt 

WAIT = Wait 

LOCK = Bus lock prefix 








2 
2 
2 
2 
2 
3 
2 
2 
3 

2 
9-20* 



11* 
11* 
12* 
12* 

3,6* 
2.3* 


2 
2 
2 
2 
2 
3 
2 
2 
3 

2 
9-20' 



11* 
11* 
12* 
12* 

17,19* 
2,3' 

17,19* 

2,3* 

3,6* 
2,3* 

14,16* 

14,16* 

10*,11* 
14,16* 
14,16* 


3 

5,8 

2,3 
2,3 
2,3 
2,3 

1 

1 

1 

1 

2.3 
2,3 

1 

1 

2 

1 
1 


14 
14 
13 

14 
13 
8,17 

9,13 

9 

9,13 

9 

9.11,13 

9 
9,11,13 

9 

9.13 
9 

9,11.16 

9,11,16 

8,9 
9,11,16 
9,11,16 


1 11110 


1 1110 10 1 


1 11110 1 


1111110 


1 111110 1 


111110 10 


111110 11 


1 1110 10 


10011011 


1 1110 


CTS = Clear task switched flag 


000111 1 


0000 110| 




ESC = Processor Extension Escape 

SEG= Segment Override Prefix 

PROTECTION CONTROL 

LfiDT « load global riescriptor table register 

SGDT » Store global tecriptortaWe register 
UOT » Load interrupt descriptor table register 
8I0T » Store interrupt descriptor tatto register 

LLDT •» Load tal descriptor table register 
from register memory 

SLOT = Store local descriptortabte register 
to register/memory 

LTR- load task register 

from register/memory 
STR= Store task register 

to register memory 

LMSW- Load machine status wrd 
from register/memory 

SMSW = Store machine status word 
LAR« Load access rights 
fromregjstertnemory 

LSL= load segment limit 
from register/memory 

ARPL = Adpjst requested privilege level: 
from register/memory 

VERR = Utrtty read access: registerytiWDOfy / 

VERR= Verify write access: 


1 1 1 1 TT T 


mod LLL r/m | 




TTTLLL are opcode t 


o processor extension) 


001 reg110 




000111 1 


0000000 1| 


modOIOr/m | 


000111 1 


0000000 1| 


mod 000 r/m | 


000111 1 


0000000 1| 


mod 1 1 r/m I 


000111 1 


0000000 1| 


modOOl r/m | 




000111 1 


000 0000| 


mod 010 r/m | 




000111 1 


0000000 0| 


modOOO r/m | 




000111 1 


0000000 0| 


mod011 r/m | 




000111 1 


0000000 0| 


modOOl r/m | 




000111 1 


0000000 1| 


mod 1 1 r/m | 


000111 1 


0000000 1[ 


mod 100 r/m | 




000111 1 


00 00 00 1 0| 


modreg r/m | 




0001111 


000 00 11| 


modreg r/m | 








1100011| 


modreg r/m | 


000111 1 


0000000 0| 


mod 100 r/m } 


000111 1 


0000000 oj 


mod 101 r/m | 



Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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Footnotes 

The effective Address (EA) of the memory operand is 
computed according to the mod and r/m fields: 

if mod = 1 1 then r/m is treated as a REG field 

if mod = OOthenDISP = 0*, disp-low and disp-high 

are absent 

if mod = 01 thenDISP = disp-low sign-extended to 

1 6-bits, disp-high is absent 

if mod = "lOthenDISP = disp-high: disp-low 



if r/m = 000 then EA 
if r/m = 001 then EA 
fr/m = OlOthenEA 
fr/m = 011 then EA 
fr/m = 100thenEA 
fr/m = 101 then EA 
fr/m = HOthenEA 
fr/m = 111 then EA 



(BX) + (SI) + DISP 
(BX) + (Dl) + DISP 
(BP) + (SI) + DISP 
(BP) + (Dl) + DISP 
(SI) + DISP 
(Dl) + DISP 
(BP) + DISP* 
(BX) + DISP 



REG is assigned according to the following table: 
16-Blt(w = 1) 8-Bit(w = 0) 



000 AX 

001 CX 

010 DX 

011 BX 

100 SP 

101 BP 

110 SI 

111 Dl 



000 AL 

001 CL 

010 DL 

011 BL 

100 AH 

101 CH 

110 DH 

111 BH 



The physical addresses of all operands addressed by 
the BP register are computed using the SS segment 
register. The physical addresses of the destination op- 
erands of the string primitive operations (those ad- 
dressed by the Dl register) are computed using the ES 
segment, which may not be overridden. 



DISP follows 2nd byte of instruction (before data if 
required) 

"except if mod = 00 and r/m = HOthenEA = disp-high: disp-low. 



SEGMENT OVERRIDE PREFIX 

|0 1 reg 1 1 0| 

reg is assigned according to the following: 



reg 


Segment 
Register 


00 


ES 


01 


CS 


10 


SS 


11 


DS 
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List of Minor Differences Between 
iAPX 86 and iAPX 286 (Real Mode) D-1 



APPENDIX D 
iAPX 86/88 SOFTWARE COMPATIBILITY CONSIDERATIONS 



In general, the real address mode iAPX 286 
will correctly execute ROM-based iAPX 
86/88 software. The following is a list of the 
minor differences between iAPX 86 and iAPX 
286 (Real mode). 

1. Add Six Interrupt Vectors. 

The iAPX 286 adds six interrupts which 
arise only if the iAPX 86/88 program has 
a hidden bug. These interrupts occur only 
for instructions which were undefined on 
the 8086/8088 or if a segment wrapa- 
round is attempted. It is recommended 
that you add an interrupt handler to the 
iAPX 86/88 software that is to be run on 
the iAPX 286, which will treat these 
interrupts as invalid operations. 

This additional software does not signifi- 
cantly effect the existing iAPX 86/88 
software because the interrupts do not 
normally occur and should not already 
have been used since they are in the 
interrupt group reserved by Intel. 
Table D-l describes the new iAPX 286 
interrupts. 

2. Do not Rely on iAPX 86/88 Instruction 
Clock Counts. 

The iAPX 286 takes fewer clocks for 
most instructions than the iAPX 86/88. 
The areas to look into are delays between 
I/O operations, and assumed delays in 
iAPX 86/88 operating in parallel with an 
8087. 

3. Divide Exceptions Point at the DIV 
Instruction. 

Any interrupt on the iAPX 286 will 
always leave the saved CS:IP value 
pointing at the instruction which failed. 
On the iAPX 86/88, the CS:IP value 



Table D-1. New iAPX 286 Interrupts 


Interrupt 
Number 


Function 


5 

6 
7 

8 

9 

13 


A BOUND instruction was 
executed with a register value 
outside the two limit values. 

An undefined opcode was 
encountered. 

The EM bit in the MSW has been 
set and an ESC instruction was 
executed. This interrupt will also 
occur on WAIT instructions if TS 
is set. 

The interrupt table limit was 
changed by the LIDT instruction 
to a value between 20H and 42H. 
The default limit after reset is 
3FFH, enough for all 256 inter- 
rupts. 

A processor extension data 
transfer exceeded offset OFFFFH 
in a segment. This interrupt 
handler must execute FNINIT 
before any ESC or WAIT instruc- 
tion is executed. 

Segment wraparound was 
attempted by a word operation at 
offset OFFFFH. A push with 
SP=1 during PUSH, CALL, or 
INT will also cause this. 



saved for a divide exception points at the 
next instruction. 

Use Interrupt 16 for Numeric Excep- 
tions. 

Any iAPX 286/20 system must use 
interrupt vector 1 6 for the numeric error 
interrupt. If an iAPX 86/20 or iAPX 
88/20 system uses another vector for the 
8087 interrupt, both vectors should point 
at the numeric error interrupt handler. 



D-1 



IAPX 86/88 SOFTWARE COMPATIBILITY CONSIDERATIONS 



5. Numeric Exception Handlers Should 
allow Prefixes. 

The saved CS:IP value in the NPX 
environment save area will point at any 
leading prefixes before an ESC instruc- 
tion. On iAPX 86/88 systems, this value 
points only at the ESC instruction. 

6. Do Not Attempt Undefined iAPX 86/88 
Operations. 

iAPX 86/88 instructions like POP CS or 
MOV CS,op will either cause exception 
6 (undefined opcode) or perform a 
protection setup operation like LIDT on 
the iAPX 286. Undefined bit encodings 
for bits 5-3 of the second byte of POP 
MEM or PUSH MEM will cause excep- 
tion 13 on the iAPX 286. 

7. Place a Far JMP Instruction at FFFFOH. 

After reset, CS:IP = F000:FFF0 on the 
iAPX 286. This change was made to 
allow sufficient code space to enter 
protected mode without reloading CS. 
Placing a far JMP instruction at 
FFFFOH will avoid this difference. Note 
that the BOOTSTRAP option of LOC86 
will automatically generate this jump 
instruction. 

8. Do not Rely on the Value Written by 
PUSH SP. 

The iAPX 286 will push a different value 
on the stack for PUSH SP than the iAPX 
86/88. If the value pushed is important, 
replace PUSH SP instructions with the 
following three instructions: 

PUSH BP 

MOV BP,SP 

XCHG BP,[BP] 

This code functions as the iAPX 86/88 
PUSH SP instruction on the iAPX 286. 

9. Do not Shift or Rotate by More than 31 
Bits. 



The iAPX 286 masks all shift/rotate 
counts to the low 5 bits. This MOD 32 
operation limits the count to a maximum 
of 3 1 bits. With this change, the longest 
shift/rotate instruction is 39 clocks. 
Without this change, the longest shift/ 
rotate instruction would be 264 clocks, 
which delays interrupt response until the 
instruction completes execution. 

10. Do not Duplicate Prefixes. 

The iAPX 286 sets an instruction length 
limit of 10 bytes. The only way to violate 
this limit is by duplicating a prefix two 
or more times before an instruction. 
Exception 6 occurs if the instruction 
length limit is violated. The iAPX 86 or 
88 has no instruction length limit. 

1 1. Do not Rely on Odd iAPX 86/88 LOCK 
Characteristics. 

The LOCK prefix and its corresponding 
output signal should only be used to 
prevent other bus masters from inter- 
rupting a data movement operation. The 
iAPX 286 will always assert LOCK 
during an XCHG instruction with 
memory (even if the LOCK prefix was 
not used). LOCK should only be used 
with the XCHG, MOV, MOVS, INS, 
and OUTS instructions. 

The iAPX 286 LOCK signal will not go 
active during an instruction prefetch. 

12. Do not Single Step External Interrupt 
Handlers. 

The priority of the iAPX 286 single step 
interrupt is different from that of the 
iAPX 86/88. This change was made to 
prevent an external interrupt from being 
single-stepped if it occurs while single 
stepping through a program. The iAPX 
286 single step interrupt has higher 
priority than any external interrupt. 
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IAPX 86/88 SOFTWARE COMPATIBILITY CONSIDERATIONS 



The iAPX 286 will still single step 
through an interrupt handler invoked by 
INT instructions or an instruction 
exception. 

13. Do not Rely on IDIV Exceptions for 
Quotients of 80H or 8000H. 

The iAPX 286 can generate the largest 
negative number as a quotient for IDIV 
instructions. The iAPX 86 will instead 
cause exception 0. 



14. Do not Rely on NMI Interrupting NMI 
Handlers. 

After an NMI is recognized, the NMI 
input and processor extension limit error 
interrupt is masked until the first IRET 
instruction is executed. 

15. The NPX error signal does not pass 
through an interrupt controller (an 
8087 INT signal does). Any interrupt 
controller-oriented instructions for the 
iAPX 86/20 may have to be deleted. 
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U.S. SALES OFFICES 



ALABAMA 

Intel Corp. 

303 Williams Avenue. S.W. 

Suite 1422 

Huntsville 35801 

Tel: (205) 533-9353 

ARIZONA 

Intel Corp. 
11225 N. 28th Drive 
Suite 214D 
Phoenix 85029 
Tel: (602) 869-4980 

CALIFORNIA 

Intel Corp. 

1010 Hurley Way 

Suite 300 

Sacramento 95825 

Tel: (916) 929-4078 

Intel Corp. 

7670 Opportunity Road 

Suite 135 

San Diego 921 11 

Tel: (714) 268-3563 

Intel Corp.* 

2000 East 4th Street 

Suite 100 

Santa Ana 92705 

Tel: (619) 835-9642 

TWX: 910-595-1114 

Intel Corp.* 

1350Shorebird Way 

Mt. View 94043 

Tel: (415) 968-8086 

TWX: 910-339-9279 

910-338-0255 

Intel Corp.* 

5530 Corbin Avenue 

Suite 120 

Tarzana 91356 

Tel: (213) 708-0333 

TWX: 910-495-2045 

COLORADO 

Intel Corp. 

4445 Northpark Drive 

Suite 100 

Colorado Springs 80907 

Tel: (303) 594-6622 

Intel Corp.* 

650 S. Cherry Street 

Suite 720 

Denver 60222 

Tel: (303) 321-8086 

TWX: 910-931-2289 

CONNECTICUT 

Intel Corp. 

36 Padanaram Road 
Danbury 06810 
Tel: (203) 792-8366 
TWX: 710-456-1199 

EMC Corp. 

393 Center Street 

Wallingford 06492 

Tel: (203) 265-6991 

FLORIDA 

Intel Corp. 

1500 N.W. 62nd Street 

Suite 104 

Ft. Lauderdale 33309 

Tel: (305) 771-0600 

TWX: 510-956-9407 

Intel Corp. 
500 N. Maitland 
Suite 205 
Maitland 32751 
Tel: (305) 628-2393 
TWX: 810-853-9219 



OEORQIA 

Intel Corp. 

3300 Holcombe Bridge Road 

Suite 225 

Norcross 30092 

Tel: (404) 449-0541 

ILLINOIS 

Intel Corp.* 

2550 Golf Road. 

Suite 815 

Rolling Meadows 60008 

Tel: (312)981-7200 

TWX: 910-651-5881 

INDIANA 

Intel Corp. 
9100 Purdue Road 
Suite 400 
Indianapolis 46268 
Tel: (317) 875-0623 

IOWA 

Intel Corp. 

St. Andrews Building 

1930 St. Andrews Drive N.E. 

Cedar Rapids 52402 

Tel: (319) 393-5510 

KANSAS 

Intel Corp. 

6400 W. 110th Street 

Suite 170 

Overland Park 66210 

Tel: (913) 642-8080 

LOUISIANA 

Industrial Digital Systems Corp. 

2332 Severn Avenue 

Suite 202 

Metairie. LA 70001 

Tel: (504)831-8492 

MARYLAND 

Intel Corp.* 

7257 Parkway Drive 

Hanover 21076 

Tel: (301) 796-7500 

TWX: 710-862-1944 

Intel Corp. 

7833 Walker Drive 

Greenbelt 20770 

Tel: (301) 431-1200 

MASSACHUSETTS 

Intel Corp." 
27 Industrial Avenue 
Chelmsford 01824 
Tel: (617) 256-1800 
TWX: 710-343-6333 
EMC Corp. 
385 Elliot Street 
Newton 02164 
Tel: (617) 244-4740 
TWX: 922531 

MICHIGAN 

Intel Corp." 

26500 Northwestern Hwy. 

Suite 401 

Southfield 48075 

Tel: (313) 353-0920 

TWX: 810-244-4915 

MINNESOTA 

Intel Corp. 
3500 W. 80th Street 
Suite 360 

Bloomington 55431 
Tel: (612)835-6722 
TWX: 910-576-2867 

MISSOURI 

Intel Corp. 

4203 Earth City Expressway 

Suite 131 

Earth City 63045 

Tel: (314) 291-1990 



NEW JERSEY 

Intel Corp." 
Raritan Plaza III 
Raritan Center 
Edison 08837 
Tel: (201) 225-3000 
TWX: 710-480-6238 

NEW MEXICO 

Intel Corp. 

1120 Juan Tabo N.E. 
Albuquerque 87112 
Tel: (505) 292-8086 

NEW YORK 

Intel Corp." 

300 Vanderbilt Motor Parkway 

Hauppauge 11788 

Tel: (516) 231-3300 

TWX: 510-227-6236 

Intel Corp. 

80 Washington Street 

Poughkeepsie 12601 

Tel: (914) 473-2303 

TWX: 510-248-0060 

Intel Corp." 

21 1 White Spruce Boulevard 

Rochester 14623 

Tel: (716) 424-1050 

TWX: 510-253-7391 

T-Squared 

6443 Ridings Road 

Syracuse 13206 

Tel: (315) 463-8592 

TWX: 710-541-0554 

T-Squared 

7353 Pittsford 

Victor Road 

Victor 14564 

Tel: (716) 924-9101 

TWX: 510-254-8542 

NORTH CAROLINA 

Intel Corp. 

2306 W. Meadowview Road 

Suite 206 

Greensboro 27407 

Tel: (919) 294-1541 

OHIO 

Intel Corp." 

6500 Poe Avenue 

Dayton 45414 

Tel: (800) 325-4415 

TWX: 810-450-2528 

Intel Corp." 

Chagrin-Brainard Bldg., No. 300 

28001 Chagrin Boulevard 

Cleveland 44122 

Tel: (216) 464-6915 

TWX: 810-427-9298 

OKLAHOMA 

Intel Corp. 

4157 S. Harvard Avenue 

Suite 123 

Tulsa 74135 

Tel: (916) 749-8688 

OREGON 

Intel Corp. 

10700 S.W. Beaverton 
Hillsdale Highway 
Suite 22 

Beaverton 97005 
Tel: (503) 641-8086 
TWX: 910-467-8741 



PENNSYLVANIA 

Intel Corp." 

510 Pennsylvania Avenue 

Fort Washington 19034 

Tel: (215) 641-1000 

TWX: 510-661-2077 

Intel Corp." 

201 Perm Center Boulevard 

Suite 301W 

Pittsburgh 15235 

Tel: (412) 823-4970 

Q.E.D. Electronics 

300 N. York Road 

Hatboro 19040 

Tel: (215) 674-9600 

TEXAS 

Intel Corp." 

12300 Ford Road 

Suite 380 

Dallas 75234 

Tel: (214) 241-8087 

TWX: 910-860-5617 

Intel Corp." 

7322 S.W. Freeway 

Suite 1490 

Houston 77074 

Tel: (713) 988-8086 

TWX: 910-881-2490 

Industrial Digital Systems Corp. 

5925 Sovereign 

Suite 101 

Houston 77036 

Tel: (713) 988-9421 

Intel Corp. 

313 E. Anderson Lane 

Suite 314 

Austin 78752 

Tel: (512) 454-3628 

UTAH 

Intel Corp. 

268 West 400 South 

Salt Lake City 84101 

Tel: (801) 533-8086 

VIRGINIA 

Intel Corp. 

1603 Santa Rosa Road 

Suite 1 09 

Richmond 23288 

Tel: (804) 282-5668 

WASHINGTON 

Intel Corp. 

110 110th Avenue N.E. 

Suite 510 

Bellevue 98004 

Tel: (206) 453-6086 

TWX: 910-443-3002 

WISCONSIN 

Intel Corp. 

450 N. Sunnyslope Road 

Suite 130 

Brookfield 53005 

Tel: (414) 784-9060 
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U.S. DISTRIBUTORS 



ALABAMA 

tArrow Electronics, Inc. 
361 1 Memorial Parkway So. 
Huntsville 35405 
Tel: (205) 882-2730 
tHamilton/Avnet Electronics 
4812 Commercial Drive N.W. 
Huntsville 35805 
Tel: (205) 837-7210 
TWX: 810-726-2162 
tPioneer/Huntsville 
1207 Putnam Drive N.W. 
Huntsville 35805 
Tel: (205) 837-9300 
TWX: 810-726-2197 

ARIZONA 

tHamilton/Avnet Electronics 
505 S. Madison Drive 
Tempe 85281 
Tel: (602) 231-5140 
TWX: 910-950-0077 
tWyle Distribution Group 
8155 N. 24th Street 
Phoenix 85021 
Tel: (602) 249-2232 
TWX: 910-951-4282 

CALIFORNIA 

fArrow Electronics, Inc. 

521 Weddell Drive 

Sunnyvale 94086 

Tel: (408) 745-6600 

TWX: 910-339-9371 

tArrow Electronics, Inc. 

19748 Dearborn Street 

Chatsworth 91311 

Tel: (213) 701-7500 

TWX: 910-493-2086 

tHamilton/Avnet Electronics 

350 McCormick Avenue 

Costa Mesa 92626 

Tel: (714)754-6051 

TWX: 910-595-1928 

tHamilton/Avnet Electronics 

19515 So. Vermont Avenue 

Torrance 90502 

Tel: (213)615-3909 

TWX: 910-349-6263 

tHamilton/Avnet Electronics 

1175 Bordeaux Drive 

Sunnyvale 94086 

Tel: (408) 743-3300 

TWX: 910-339-9332 

tHamilton/Avnet Electronics 

4545 Viewridge Avenue 

San Diego 92123 

Tel: (714)641-4109 

TWX: 910-595-2638 

tHamilton/Avnet Electronics 

10912 W. Washington Boulevard 

Culver City 90230 

Tel: (213)558-2458 

TWX: 910-340-6364 

tHamilton/Avnet Electronics 

21050 Erwin Street 

Woodland Hills 91367 

Tel: (213) 883-0000 

TWX: 910-494-2207 

t Hamilton Electro Sales 

3170 Pullman Street 

Costa Mesa 92626 

Tel: (714) 641-4109 

TWX: 910-595-2638 

tHamiton/Avnet Electronics 

4103 Northgate Boulevard 

Sacramento 95834 

Tel: (916) 920-3150 

Kierulff Electronics, Inc. 

3969 E. Bayshore Road 

Palo Alto 94303 

Tel. (415) 968-6292 

TWX: 910-379-6430 

Kierulff Electronics, Inc. 

14101 Franklin Avenue 

Tustin 92680 

Tel: (714)731-5711 

TWX. 910-595-2599 

Kierulff Electronics, Inc. 

2585 Commerce Way 

Los Angeles 90040 

Tel: (213) 725-0325 

TWX: 910-580-3666 

tWyle Distribution Group 

124 Maryland Street 

El Segundo 90245 

Tel: (213) 322-8100 

TWX: 910-348-7140 or 7111 

tWyle Distribution Group 

9525 Chesapeake Drive 

San Diego 92123 

Tel: (714) 565-9171 

TWX: 910-335-1590 

tWyle Distribution Group 

3000 Bowers Avenue 

Santa Clara 95051 

Tel: (408) 727-2500 

TWX: 910-338-0451 or 0451/0 

tWyle Distribution Group 

1 7872 Cowan Avenue 

Irvine 92714 

Tel. (714) 641-1600 

TWX: 910-595-1572 



COLORADO 

tWyle Distribution Group 
451 E. 124th Avenue 
Thornton 80241 
Tel: (303) 457-9953 
TWX: 910-936-0770 

tHamilton/Avnet Electronics 
8765 E. Orchard Road 
Suite 708 
Englewood 801 1 1 
Tel: (303) 740-1017 
TWX: 910-935-0787 

CONNECTICUT 

tArrow Electonics, Inc. 
1 2 Beaumont Road 
Wallingford 06492 
Tel: (203) 265-7741 
TWX: 710-220-1684 
tHamilton/Avnet Electronics 
Commerce Industrial Park 
Commerce Drive 
Danbury 06810 
Tel: (203) 797-2800 
TWX: 710-456-9974 
tHarvey Electronics 
1 1 2 Main Street 
Norwalk 06851 
Tel: (203) 853-1515 
TWX: 710-468-3373 

FLORIDA 

tArrow Electronics. Inc. 

1001 N.W. 62nd Street 

Suite 108 

Ft. Lauderdale 33309 

Tel: (305) 776-7790 

TWX: 510-955-9456 

tArrow Electronics, Inc. 

50 Woodlake Drive W. 

Bldg. B 

Palm Bay 32905 

Tel: (305) 725-1480 

TWX: 510-959-6337 

tHamilton/Avnet Electronics 

6801 N.W. 15th Way 

Ft. Lauderdale 33309 

Tel: (305) 971-2900 

TWX: 510-956-3097 

tHamilton/Avnet Electronics 

3197 Tech. Drive North 

St. Petersburg 33702 

Tel: (813) 576-3930 

TWX: 810-863-0374 

tPioneer/Orlando 

6220 S. Orange Blossom Trail 

Suite 412 

Orlando 32809 

Tel: (305) 859-3600 

TWX: 810-850-0177 

tPioneer/Ft. Lauderdale 

1500 62nd Street N.W. 

Suite 506 

Ft. Lauderdale 33309 

Tel: (305) 771 -7520 

TWX: 510-955-9653 

GEORGIA 

tArrow Electronics, Inc. 

2979 Pacific Drive 

Norcross 30071 

Tel: (404) 449-8252 

TWX: 810-766-0439 

tHamilton/Avnet Electronics 

5825 D. Peachtree Corners 

Norcross 30092 

Tel: (404) 447-7500 

TWX: 810-766-0432 

t Pioneer/Georgia 

5835B Peachtree Corners E 

Norcross 30092 

Tel: (404) 448-1711 

TWX: 610-766-4515 

ILLINOIS 

tArrow Electronics, Inc. 
2000 E. Alonquin Street 
Schaumberg 60195 
Tel: (312) 397-3440 
TWX- 910-291-3544 
tHamilton/Avnet Electronics 
1 130 Thorndale Avenue 
Bensenville 60106 
Tel: (312) 860-7780 
TWX: 910-227-0060 
t Pioneer/Chicago 
1551 Carmen Drive 
Elk Grove Village 60007 
Tel: (312) 437-9680 
TWX: 910-262-1182 



INDIANA 

tArrow Electronics. Inc. 
2718 Rand Road 
Indianapolis 46241 
(317)243-9353 
TWX: 810-341-3119 
tHamilton/Avnet Electronics 
485 Gradle Drive 
Carmel 46032 
Tel: (317) 844-9333 
TWX: 810-260-3966 
t Pioneer/Indiana 
6408 Castleplace Drive 
Indianapolis 46250 
Tel: (317) 849-7300 
TWX: 810-260-1794 

KANSAS 

tHamilton/Avnet Electronics 

9219 0uivera Road 

Overland Park 66215 

Tel: (913) 888-8900 

TWX: 910-743-0005 

MARYLAND 

tHamilton/Avnet Electronics 

6822 Oak Hall Lane 

Columbia 21045 

Tel: (301) 995-3500 

TWX: 710-862-1861 

tMesa Technology Corporation 

16021 Industrial Drive 

Gaithersburg 20877 

Tel: (301) 948-4350 

TWX: 710-828-9702 

tPioneer 

91 00 Gaither Road 

Gaithersburg 20877 

Tel: (301) 948-0710 

TWX: 710-828-0545 

MASSACHUSETTS 

tHamilton/Avnet Electronics 
50 Tower Office Park 
Woburn 01801 
Tel: (617) 935-9700 
TWX: 710-393-0382 
tArrow Electronics, Inc. 
1 Arrow Drive 
Woburn 01801 
Tel: (617) 933-8130 
TWX: 710-393-6770 
tHarvey/Boston 
44 Hartwell Avenue 
Lexington 02173 
Tel: (617) 863-1200 
TWX: 710-326-6617 

MICHIGAN 

tArrow Electronics, Inc. 
3810 Varsity Drive 
Ann Arbor 48104 
Tel: (313) 971-8220 
TWX: 810-223-6020 
tPioneer/Michigan 
13485 Stamford 
Livonia 48150 
Tel: (313) 525-1800 
TWX: 810-242-3271 
tHamilton/Avnet Electronics 
32487 Schoolcraft Road 
Livonia 48150 
Tel: (313) 522-4700 
TWX: 810-242-8775 

tHamilton/Avnet Electronics 

2215 29th Street S.E. 

Space A5 

Grand Rapids, 49508 

Tel: (61 6) 243-8805 

TWX: 810-273-6921 

MINNESOTA 

tArrow Electronics, Inc. 

5230 W. 73rd Street 

Edina 55435 

Tel: (612) 830-1800 

TWX: 910-576-3125 

tHamilton/Avnet Electronics 

10300 Bren Road East 

Minnetonka 55343 

Tel: (612) 932-0600 

TWX: (91 0)576-2720 

Pioneer/Twin Cities 

10203 Bren Road East 

Minnetonka 55343 

Tel: (612) 935-5444 

TWX: 910-576-2738 

MISSOURI 

tArrow Electronics, Inc. 

2380 Schuetz 

St. Louis 63141 

Tel: (314) 567-6888 

TWX: 910-764-6600 

tHamilton/Avnet Electronics 

13743 Shoreline Court 

Earth City 63045 

Tel: (314) 344-1200 

TWX: 910-762-0684 



NEW HAMPSHIRE 

tArrow Electronics, Inc. 

1 Perimeter Road 
Manchester 03103 
Tel: (603) 668-6968 
TWX: 710-220-1684 

NEW JERSEY 

tArrow Electronics, Inc. 
Pleasant Valley Avenue 
Moorestown 08057 
Tel: (215) 928-1800 
TWX: 710-897-0829 
tArrow Electronics, Inc. 
285 Midland Avenue 
Saddle Brook 07662 
Tel: (201) 797-5800 
TWX: 710-998-2206 
tArrow Electronics, Inc. 

2 Industrial Road 
Fairfield 07006 
Tel: (201) 575-5300 
TWX: 710-998-2206 
tHamilton/Avnet Electronics 
1 Keystone Avenue 

Bldg. 36 

Cherry Hill 08003 
Tel: (609) 424-0100 
TWX: 710-940-0262 
tHarvey Electronics 
45 Route 46 
Pinebrook 07058 
Tel: (201) 575-3510 
TWX: 710-734-4382 
tMTI Systems Sales 
383 Route 46 W 
Fairfield 07006 
Tel: (201) 227-5552 

NEW MEXICO 

tAlliance Electronics Inc. 
1 1030 Cochiti S.E. 
Albuquerque 87123 
Tel: (505) 292-3360 
TWX: 910-989-1151 
tHamilton/Avnet Electronics 
2524 Baylor Drive S.E. 
Albuquerque 87106 
Tel: (505) 765-1500 
TWX: 910-989-0614 

NEW YORK 

tArrow Electronics. Inc. 
900 Broad Hollow Road 
Farmingdale 11735 
Tel: (516) 694-6800 
TWX: 510-224-6126 
tArrow Electronics. Inc. 
3000 South Winton Road 
Rochester 14623 
Tel: (716) 275-0300 
TWX: 510-253-4766 
tArrow Electronics, Inc. 
7705 Maltage Drive 
Liverpool 13088 
Tel: (315) 652-1000 
TWX: 710-545-0230 
tArrow Electronics, Inc. 
20 Oser Avenue 
Hauppauge 11788 
Tel: (516) 231-1000 
TWX: 510-227-6623 
tHamilton/Avnet Electronics 
333 Metro Park 
Rochester 14623 
Tel: (716) 475-9130 
TWX: 510-253-5470 
tHamilton/Avnet Electronics 
16 Corporate Circle 
E. Syracuse 13057 
Tel: (315) 437-2641 
TWX: 710-541-1560 
tHamilton/Avnet Electronics 
5 Hub Drive 

Melville, Long Island 11747 
Tel: (516) 454-6000 
TWX: 510-224-6166 
tHarvey Electronics 
P.O. Box 1208 
Binghamton 13902 
Tel: (607) 748-8211 
TWX: 510-252-0893 
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U.S. DISTRIBUTORS 



NEW YORK (Cont.) 

fHarvey Electronics 

60 Crossways Park West 

Woodbury, Long Island 11797 

Tel: (516) 921-8700 

TWX: 510-221-2184 

tHarvey/Rochester 

840 Fairport Park 

Fairport 14450 

Tel: (716) 381-7070 

TWX: 510-253-7001 

tMTI Systems Sales 

38 Harbor Park Drive 

Port Washington 11050 

Tel: (516) 621-6200 

TWX: 510-223-0846 

NORTH CAROLINA 

tArrow Electronics, Inc. 
938 Burke Street 
Winston-Salem 27101 
Tel: (919) 725-8711 
TWX: 510-931-3169 
tArrow Electronics, Inc. 
3117 Poplarwood Court 
Suite 123 
Raleign 27265 
Tel: (919) 876-3132 
TWX: 510-928-1856 
tHamilton/Avnet Electronics 
2803 Industrial Drive 
Raleigh 27609 
Tel: (919) 829-8030 
TWX: 510-928-1836 
fPioneer/Carolina 
103 Industrial Avenue 
Greensboro 27406 
Tel: (919) 273-4441 
TWX: 510-925-1114 

OHIO 

tArrow Electronics, Inc. 

7620 McEwen Road 

Centerville 45459 

Tel: (513) 435-5563 

TWX: 810-459-1611 

tArrow Electronics, Inc. 

6238 Cochran Road 

Solon 44139 

Tel: (216) 248-3990 

TWX: 810-427-9409 

tHamilton/Avnet Electronics 

954 Senate Drive 

Dayton 45459 

Tel: (513) 433-0610 

TWX: 810-450-2531 

tHamilton/Avnet Electronics 

4588 Emery Industrial Parkway 

Warrensville Heights 44128 

Tel: (216) 831-3500 

TWX: 810-427-9452 

t Pioneer/Dayton 

4433 Interpoint Boulevard 

Dayton 45424 

Tel: (513) 236-9900 

TWX: 810-459-1622 

tPioneer/Cleveland 

4800 E. 131st Street 

Cleveland 44105 

Tel: (216) 587-3600 

TWX: 810-422-2211 

OKLAHOMA 

tArrow Electronics, Inc. 
4719 S. Memorial Drive 
Tulsa 74145 
Tel: (918) 665-7700 



OREGON 

tAlmac Electronics Corporation 

8022 S.W. Nimbus. Bldg. 7 

Beaverton 97005 

Tel: (503) 641-9070 

TWX: 910-467-8743 

tHamilton/Avnet Electronics 

6024 S.W. Jean Road 

Bldg. C, Suite 10 

Lake Oswego 97034 

Tel: (503) 635-7848 

TWX: 910-455-8179 

PENNSYLVANIA 

tArrow Electronics, Inc. 
650 Seco Road 
Monroeville 15146 
Tel: (412) 856-7000 
tPioneer/Pittsburgh 
259 Kappa Drive 
Pittsburgh 15238 
Tel: (412) 782-2300 
TWX: 710-795-3122 
tPioneer/Delaware Valley 
261 Gibralter Road 
Horsham 19044 
Tel: (215) 674-4000 
TWX: 510-665-6778 

TEXAS 

tArrow Electronics. Inc. 
13715 Gama Road 
Dallas 75234 
Tel: (214) 386-7500 
TWX: 910-860-5377 
tArrow Electronics, Inc. 
10700 Corporate Drive 
Suite 100 
Stafford 77477 
Tel: (713) 491-4100 
TWX: 910-880-4439 
tArrow Electronics, Inc. 
10125 Metropolitan 
Austin 78758 
Tel: (512) 835-4100 
TWX: 910-874-1348 
tHamilton/Avnet Electronics 
2401 Rutland 
Austin 78757 
Tel: (512) 837-8911 
TWX: 910-874-1319 
tHamilton/Avnet Electronics 
2111 W. Walnut Hill Lane 
Irving 75062 
Tel: (214) 659-4100 
TWX: 910-860-5929 
tHamilton/Avnet Electronics 
8750 West Park 
Houston 77063 
Tel: (713) 780-1771 
TWX: 910-881-5523 

tPioneer/Austin 

9901 Burnet Road 

Austin 78758 

Tel: (512) 835-4000 

TWX: 910-874-1323 

tPioneer/Dallas 

13710 Omega Road 

Dallas 75234 

Tel: (214) 386-7300 

TWX: 910-850-5563 

tPioneer/Houston 

5853 Point West Drive 

Houston 77036 

Tel: (713) 988-5555 

TWX: 910-576-2738 



UTAH 

tHamilton/Avnet Electronics 

1585 West 2100 South 

Salt Lake City 84119 

Tel: (801)972-2800 

TWX: 910-925-4018 

tArrow Electronics. Inc. 

4980 Amelia Earhart Drive 

Salt Lake City 84112 

Tel: (801) 539-1135 

WASHINGTON 

tAlmac Electronics Corporation 

14360 S.E. Eastgate Way 

Bellevue 98007 

Tel: (206) 643-9992 

TWX: 910-444-2067 

tArrow Electronics, Inc. 

14320 N.E. 21st Street 

Bellevue 98007 

Tel: (206) 643-4800 

TWX: 910-444-2017 

tHamilton/Avnet Electronics 

14212 N.E. 21st Street 

Bellevue 98005 

Tel: (206) 453-5874 

TWX: 910-443-2469 

WISCONSIN 

tArrow Electronics, Inc. 

430 W. Rausson Avenue 

Oakcreek 53154 

Tel: (414) 764-6600 

TWX: 910-262-1193 

tHamilton/Avnet Electronics 

2975 Moorland Road 

New Berlin 53151 

Tel: (414) 784-4510 

TWX: 910-262-1182 
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INTEL EUROPEAN SALES OFFICES 



BELGIUM 

Intel Corporation S.A. 

Pare Seny 

Rue du Moulin a Papier 51 

Boite 1 

B-1160 Brussels 

Tel: (02) 661 07 11 

TELEX: 24814 

DENMARK 

Intel Denmark A/S' 
Lyngbyvej 32F 2nd Floor 
DK-2100 Copenhagen East 
Tel: (01) 18 20 00 
TELEX: 19567 

FINLAND 

Intel Finland OY 
Hameentie 103 
SF ■ 00550 Helsinki 55 
Tel: 0/716 955 
TELEX: 123 332 

FRANCE 

Intel Corporation, S.A.R.L.* 
5 Place de la Balance 
Silic 223 

94528 Rungis Cedex 
Tel: (01) 687 22 21 
TELEX: 270475 

Intel Corporation, S.A.R.L. 
Immeuble BBC 
4 Quai des Etroits 
69005 Lyon 
Tel: (7) 842 40 89 
TELEX: 305153 



WEST GERMANY 

Intel Semiconductor GmbH' 
Seidlstrasse 27 
D-8000 Muenchen 2 
Tel: (89) 53891 
TELEX: 05-23177 INTLD 
Intel Semiconductor GmbH' 
Mainzer Strasse 75 
D-6200 Wiesbaden 1 
Tel: (6121) 70 08 74 
TELEX: 04186163 INTWD 
Intel Semiconductor GmbH 
Brueckstrasse 61 
7012Fellbach 
West Germany 
Tel: (71 1)58 00 82 
TELEX: 7254826 INTS D 
Intel Semiconductor GmbH* 
Hohenzollern Strasse 5* 
3000 Hannover 1 
Tel: (511) 34 40 81 
TELEX: 923625 INTH D 
Intel Semiconductor GmbH 
Ober-Ratherstrasse 2 
D-4000 Dusseldorf 30 
Tel: (211) 65 10 54 
TELEX: 08-58977 INTL D 

ISRAEL 

Intel Semiconductor Ltd.' 

P.O. Box 1659 

Haifa 

Tel: 4/524 261 

TELEX: 46511 



ITALY 

Intel Corporation Italia Spa* 
Milanofiori, Palazzo E 
20094 Assago (Milano) 
Tel: (02) 824 00 06 
TELEX. 315183 INTMIL 

NETHERLANDS 

Intel Semiconductor Nederland B.V.* 

Alexanderpoort Building 

Marten Meesweg 93 

3068 Rotterdam 

Tel: (10) 21 33 77 

TELEX: 22283 

NORWAY 

Intel Norway A/S 

P.O. Box 92 

Hvamveien 4 

N-2013 

Skjetten 

Tel: (2) 742 420 

TELEX: 18018 



SWEDEN 

Intel Sweden A.B.* 
Box 20092 
Archimedesvagen 5 
S-16120 Bromma 
Tel: (08) 98 53 85 
TELEX: 12261 

SWITZERLAND 

Intel Semiconductor A.G.' 
Forchstrasse 95 
CH 8032 Zurich 
Tel: (01) 55 45 02 
TELEX: 57989 ICH CH 

UNITED KINGDOM 

Intel Corporation (U.K.) Ltd." 

5 Hospital Street 

Nantwich. Cheshire CW5 5RE 

Tel: (0270) 626 560 

TELEX: 36620 

Intel Corporation (U.K.) Ltd.* 

Pipers Way 

Swindon, Wiltshire SN3 1RJ 

Tel: (0793) 488.388 

TELEX: 444447 INT SWN 



'Field Application Location 



EUROPEAN DISTRIBUTORS/REPRESENTATIVES 



February 1983 



AUSTRIA 

Bacher Elektronische Geraete GmbH 

Rotemuehlgasse 26 

A 1120 Vienna 

Tel: (222) 83 63 96 

TELEX: 11532BASATA 

BELGIUM 

Inelco Belgium S.A. 

Ave. des Croix de Guerre 94 

B1120 Brussels 

Tel: (02) 216 01 60 

TELEX: 25441 

DENMARK 

MultiKomponent A/S 
Fabriksparken 31 
DK-2600 Gloskrup 
Tel: (02) 45 66 45 
TX: 33355 

Scandinavian Semiconductor 
Supply A/S 
Nannasgade 18 
DK-2200 Copenhagen 
Tel: (01) 83 50 90 
TELEX: 19037 

FINLAND 

Oy Fintronic AB 

Melkonkatu 24 A 

SF-00210 

Helsinki 21 

Tel: (0) 692 60 22 

TELEX: 124 224 Ftron SF 

FRANCE 

Jermyn S.A. 
rue Jules Ferry 35 
93170 Bagnolet 
Tel: (1)859 04 04 
TELEX: 213810 F 
Metrologie 
La Tour d' Asnieres 
1 , Avenue Laurent Cely 
92606-Asnieres 
Tel: (1)791 44 44 
TELEX: 611 448 
Tekelec Airtronic 
Cite des Bruyeres 
Rue Carle Vernet 
F-92310 Sevres 
Tel: (01) 534 75 35 
TELEX: 204552 



WEST GERMANY 

Electronic 2000 Vertriebs A.G. 

Neumarkter Strasse 75 

D-8000 Munich 80 

Tel: (89) 43 40 61 

TELEX: 522561 EIEC D 

Jermyn GmbH 

Postfach 1180 

Schulstrasse 48 

D-6277 Bad Camberg 

Tel: (06434) 231 

TELEX: 484426 JERM D 

Celdis Enatechnik Systems GmbH 

Schillerstrasse 14 

D-2085 Quickborn-Hamburg 

Tel: (4106) 6121 

TELEX: 213590 ENAD 

Proelectron Vertriebs GmbH 

Max Planck Strasse 1-3 

6072 Dreieich bei Frankfurt 

Tel: (6103) 33564 

TELEX: 417983 

IRELAND 

Micro Marketing 
Gienageary Office Park 
Glenageary 
Co. Dublin 
Tel: (1)85 62 88 
TELEX: 31584 

ISRAEL 

Eastronics Ltd. 
1 1 Rozanis Street 
P.O. Box 39300 
Tel Aviv 61390 
Tel: (3) 47 51 51 
TELEX: 33638 

ITALY 

Eledra 3S S.P.A. 

Viale Elvezia, 18 

I 20154 Milano 

Tel: (2) 34 97 51 

TELEX: 332332 

Intesi 

Milanfiori Pal. E/5 

20090 Assago 

Milano 

Tel: (02) 82470 

TELEX: 311351 



NETHERLANDS 
Koning & Hartman 
Koperwerf 30 
P.O. Box 43220 
2544 EN 's Gravenhage 
Tel: 31 (70) 210.101 
TELEX: 31528 

NORWAY 

Nordisk Elektronic (Norge) A/S 
Postoffice Box 122 
Smedsvingen 4 
1364 Hvalstad 
Tel: (2) 786 210 
TELEX: 16963 

PORTUGAL 

Ditram 

Componentes E Electronica LDA 

Av. Miguel Bombarda, 133 

P1000 Lisboa 

Tel: (19) 545 313 

TELEX: 14182 Brieks-P 

SPAIN 

Interface S.A. 

Ronda San Pedro 22, 3 

Barcelona 10 

Tel: (3) 301 78 51 

TWX: 51508 

ITT SESA 

Miguel Angel 23-3 

Madrid 10 

Tel: (1)419 54 00 

TELEX: 27707 

SWEDEN 

AB Gosta Backstrom 
Box 12009 
Alstroemergatan 22 
S-10221 Stockholm 12 
Tel: (8) 541 080 
TELEX: 10135 

Nordisk Electronik AB 
Box 27301 
Sandhamnsgatan 71 
S-1 0254 Stockholm 
Tel: (8) 635 040 
TELEX: 10547 



SWITZERLAND 

Industrade AG 
Gemsenstrasse 2 
Postcheck 80 -21190 
CH-8021 Zurich 
Tel: (01) 363 23 20 
TELEX: 56788 INDEL CH 

UNITED KINGDOM 
Bytech Ltd. 
Unit 57 
London Road 
Earley, Reading 
Berkshire 
Tel: (0734) 61031 
TELEX: 848215 

Comway Microsystems Ltd. 
Market Street 
UK-Bracknell, Berkshire 
Tel: 44 (344) 55333 
TELEX: 847201 
DECADE Ltd. 
100 School Road 
Tilehurst 

Reading, Berkshire 
Tel: (0734) 413127 
TELEX: 837953 
Jermyn Industries 
Vestry Estate 
Sevenoaks, Kent 
Tel: (0732) 450144 
TELEX: 95142 
M.E.D.L. 
East Lane Road 
North Wembley 
Middlesex HA9 7PP 
Tel: (01) 904 93 07 
TELEX: 28817 
Rapid Recall, Ltd. 
Rapid House/Denmark St 
High Wycombe 
Berks, England HP11 2ER 
Tel: (0494) 26 271 
TELEX: 837931 

YUGOSLAVIA 

H. R. Microelectronics Enterprises 

P.O. Box 5604 

San Jose, California 95150 

Tel: 408/978-8000 

TELEX: 278-559 



Intel Corporation 
3065 Bowers Avenue 
Santa Clara, CA 95051 

Intel Corporation S.A. 

Pare Seny 

Rue du Moulin a Papier 5 1 

Boite 1 

B- 11 60 Brussels 

Belgium 

Intel Japan K.K. 

5-6 Tokodai Toyosato-machi 

Tsukuba-gun, Ibaraki-ken 300*26 

Japan 
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